Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-SINCO-PDF.exe

Overview

General Information

Sample name:PO-SINCO-PDF.exe
Analysis ID:1538504
MD5:d211d2330e29f7b1a0347e9041fed469
SHA1:04fb9b81b3a5bc12a591829fe32f032003371393
SHA256:bf7bccbcb60997695061aa9e272cdd14400b5e64727a826baa26f22a41757069
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • PO-SINCO-PDF.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\PO-SINCO-PDF.exe" MD5: D211D2330E29F7B1A0347E9041FED469)
    • powershell.exe (PID: 7596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7952 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • ngen.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
    • ngen.exe (PID: 7668 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
    • WerFault.exe (PID: 7768 cmdline: C:\Windows\system32\WerFault.exe -u -p 7460 -s 896 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f0a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        Click to see the 2 entries
        SourceRuleDescriptionAuthorStrings
        4.2.ngen.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.ngen.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16392:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.ngen.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.ngen.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f0a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-SINCO-PDF.exe", ParentImage: C:\Users\user\Desktop\PO-SINCO-PDF.exe, ParentProcessId: 7460, ParentProcessName: PO-SINCO-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, ProcessId: 7596, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-SINCO-PDF.exe", ParentImage: C:\Users\user\Desktop\PO-SINCO-PDF.exe, ParentProcessId: 7460, ParentProcessName: PO-SINCO-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, ProcessId: 7596, ProcessName: powershell.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-SINCO-PDF.exe", ParentImage: C:\Users\user\Desktop\PO-SINCO-PDF.exe, ParentProcessId: 7460, ParentProcessName: PO-SINCO-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force, ProcessId: 7596, ProcessName: powershell.exe
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: PO-SINCO-PDF.exeAvira: detected
            Source: PO-SINCO-PDF.exeReversingLabs: Detection: 50%
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: PO-SINCO-PDF.exeJoe Sandbox ML: detected

            Exploits

            barindex
            Source: Yara matchFile source: 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO-SINCO-PDF.exe PID: 7460, type: MEMORYSTR
            Source: PO-SINCO-PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Windows.Forms.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdbP source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdbH source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 4x nop then jmp 00007FFB4B333F26h0_2_00007FFB4B333D31
            Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0042C353 NtClose,4_2_0042C353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C35C0 NtCreateMutant,LdrInitializeThunk,4_2_058C35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_058C2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_058C2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2B60 NtClose,LdrInitializeThunk,4_2_058C2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C4650 NtSuspendThread,4_2_058C4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3090 NtSetValueKey,4_2_058C3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3010 NtOpenDirectoryObject,4_2_058C3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C4340 NtSetContextThread,4_2_058C4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DB0 NtEnumerateKey,4_2_058C2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2DD0 NtDelayExecution,4_2_058C2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D00 NtSetInformationFile,4_2_058C2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3D10 NtOpenProcessToken,4_2_058C3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D10 NtMapViewOfSection,4_2_058C2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2D30 NtUnmapViewOfSection,4_2_058C2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C3D70 NtOpenThread,4_2_058C3D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CA0 NtQueryInformationToken,4_2_058C2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CC0 NtQueryVirtualMemory,4_2_058C2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2CF0 NtOpenProcess,4_2_058C2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C00 NtQueryInformationProcess,4_2_058C2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2C60 NtCreateKey,4_2_058C2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F90 NtProtectVirtualMemory,4_2_058C2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FA0 NtQuerySection,4_2_058C2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FB0 NtResumeThread,4_2_058C2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2FE0 NtCreateFile,4_2_058C2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F30 NtCreateSection,4_2_058C2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2F60 NtCreateProcessEx,4_2_058C2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2E80 NtReadVirtualMemory,4_2_058C2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2EA0 NtAdjustPrivilegesToken,4_2_058C2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2EE0 NtQueueApcThread,4_2_058C2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2E30 NtWriteVirtualMemory,4_2_058C2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C39B0 NtGetContextThread,4_2_058C39B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2B80 NtQueryInformationFile,4_2_058C2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BA0 NtEnumerateValueKey,4_2_058C2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BE0 NtQueryValueKey,4_2_058C2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2BF0 NtAllocateVirtualMemory,4_2_058C2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AB0 NtWaitForSingleObject,4_2_058C2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AD0 NtReadFile,4_2_058C2AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2AF0 NtWriteFile,4_2_058C2AF0
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B33CB190_2_00007FFB4B33CB19
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B34591A0_2_00007FFB4B34591A
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B33CFA10_2_00007FFB4B33CFA1
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B33A8300_2_00007FFB4B33A830
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B3397080_2_00007FFB4B339708
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B3356850_2_00007FFB4B335685
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B34145A0_2_00007FFB4B34145A
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B3401E80_2_00007FFB4B3401E8
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B33F9150_2_00007FFB4B33F915
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B4000620_2_00007FFB4B400062
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00401AB34_2_00401AB3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004010004_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004028304_2_00402830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004030AA4_2_004030AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004030B04_2_004030B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0042E9934_2_0042E993
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040230D4_2_0040230D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004023104_2_00402310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040438F4_2_0040438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040FB9A4_2_0040FB9A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040FBA34_2_0040FBA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00402C5A4_2_00402C5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00402C604_2_00402C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004024C04_2_004024C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004164FE4_2_004164FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004024B34_2_004024B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004165034_2_00416503
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040FDC34_2_0040FDC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040DE434_2_0040DE43
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059505914_2_05950591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592D5B04_2_0592D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058905354_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059475714_2_05947571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593E4F64_2_0593E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F43F4_2_0594F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059424464_2_05942446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058814604_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F7B04_2_0594F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588C7C04_2_0588C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B47504_2_058B4750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058907704_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AC6E04_2_058AC6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589B1B04_2_0589B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059501AA4_2_059501AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059481CC4_2_059481CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058801004_2_05880100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A1184_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C516C4_2_058C516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F1724_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B16B4_2_0595B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C04_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F0CC4_2_0593F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594F0E04_2_0594F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059470E94_2_059470E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059503E64_2_059503E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E3F04_2_0589E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594132D4_2_0594132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594A3524_2_0594A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D34C4_2_0587D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058952A04_2_058952A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB2C04_2_058AB2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059312ED4_2_059312ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059302744_2_05930274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A8DBF4_2_058A8DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AFDC04_2_058AFDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588ADE04_2_0588ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589AD004_2_0589AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893D404_2_05893D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05941D5A4_2_05941D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05947D734_2_05947D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05930CB54_2_05930CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FCF24_2_0594FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880CF24_2_05880CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890C004_2_05890C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05909C324_2_05909C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891F924_2_05891F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FFB14_2_0594FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882FC84_2_05882FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589CFE04_2_0589CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FF094_2_0594FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D2F284_2_058D2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0F304_2_058B0F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05904F404_2_05904F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594CE934_2_0594CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A2E904_2_058A2E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05899EB04_2_05899EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594EEDB4_2_0594EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594EE264_2_0594EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890E594_2_05890E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058929A04_2_058929A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595A9A64_2_0595A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058999504_2_05899950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB9504_2_058AB950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A69624_2_058A6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058768B84_2_058768B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058938E04_2_058938E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE8F04_2_058BE8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058928404_2_05892840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589A8404_2_0589A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AFB804_2_058AFB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05946BD74_2_05946BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058CDBF94_2_058CDBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594AB404_2_0594AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FB764_2_0594FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588EA804_2_0588EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D5AA04_2_058D5AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592DAAC4_2_0592DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593DAC64_2_0593DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05947A464_2_05947A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594FA494_2_0594FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05903A6C4_2_05903A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 0587B970 appears 266 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058D7E54 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058C5130 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 0590F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: String function: 058FEA12 appears 84 times
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7460 -s 896
            Source: PO-SINCO-PDF.exeStatic PE information: No import functions for PE file found
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1557832040.0000000012DE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOqupufo6 vs PO-SINCO-PDF.exe
            Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: PO-SINCO-PDF.exeStatic PE information: Section .text
            Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/10@0/0
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7460
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvixqlf4.mpp.ps1Jump to behavior
            Source: PO-SINCO-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PO-SINCO-PDF.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeFile read: C:\Users\user\Desktop\PO-SINCO-PDF.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO-SINCO-PDF.exe "C:\Users\user\Desktop\PO-SINCO-PDF.exe"
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7460 -s 896
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: PO-SINCO-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO-SINCO-PDF.exeStatic file information: File size 1394775 > 1048576
            Source: PO-SINCO-PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Windows.Forms.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdbP source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdbH source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERC63D.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdb source: WERC63D.tmp.dmp.8.dr
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B3300BD pushad ; iretd 0_2_00007FFB4B3300C1
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B33469D pushad ; ret 0_2_00007FFB4B3346B9
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeCode function: 0_2_00007FFB4B400062 push esp; retf 4810h0_2_00007FFB4B400312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00413063 push esi; retf 4_2_0041306E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040C18A push 00000045h; iretd 4_2_0040C18C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041EA00 push ebp; ret 4_2_0041EA03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040AA21 push ss; retf 4_2_0040AA22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00403340 push eax; ret 4_2_00403342
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00418BA1 pushad ; iretd 4_2_00418BA2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00423452 push FFFFFFE2h; retf 4_2_004235B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040D51E push 00000066h; ret 4_2_0040D523
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0040D534 push eax; iretd 4_2_0040D556
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00418DEE push ds; ret 4_2_00418DEF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041A5A4 push cs; iretd 4_2_0041A5A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0041E627 pushfd ; ret 4_2_0041E628
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_00411FB5 push ecx; iretd 4_2_00411FB6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004147BF push ebp; iretd 4_2_004147DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058809AD push ecx; mov dword ptr [esp], ecx4_2_058809B6

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: Process Memory Space: PO-SINCO-PDF.exe PID: 7460, type: MEMORYSTR
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory allocated: 1ADE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058ABD30 rdtscp 4_2_058ABD30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7239Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2493Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeAPI coverage: 0.8 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe TID: 7656Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.8.drBinary or memory string: VMware
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.8.drBinary or memory string: vmci.sys
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: PO-SINCO-PDF.exe, 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058ABD30 rdtscp 4_2_058ABD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_004174B3 LdrLoadDll,4_2_004174B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B4588 mov eax, dword ptr fs:[00000030h]4_2_058B4588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h]4_2_0590B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h]4_2_0590B594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587758F mov eax, dword ptr fs:[00000030h]4_2_0587758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882582 mov eax, dword ptr fs:[00000030h]4_2_05882582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882582 mov ecx, dword ptr fs:[00000030h]4_2_05882582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE59C mov eax, dword ptr fs:[00000030h]4_2_058BE59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h]4_2_058A15A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059135BA mov eax, dword ptr fs:[00000030h]4_2_059135BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F5BE mov eax, dword ptr fs:[00000030h]4_2_0593F5BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h]4_2_059005A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h]4_2_058AF5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h]4_2_058A45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h]4_2_058A45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h]4_2_059535D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h]4_2_058BE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h]4_2_058BE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B55C0 mov eax, dword ptr fs:[00000030h]4_2_058B55C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A95DA mov eax, dword ptr fs:[00000030h]4_2_058A95DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058865D0 mov eax, dword ptr fs:[00000030h]4_2_058865D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h]4_2_058BA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h]4_2_058BA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059555C9 mov eax, dword ptr fs:[00000030h]4_2_059555C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h]4_2_058BC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h]4_2_058BC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058825E0 mov eax, dword ptr fs:[00000030h]4_2_058825E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h]4_2_058AE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h]4_2_058A15F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B7505 mov eax, dword ptr fs:[00000030h]4_2_058B7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B7505 mov ecx, dword ptr fs:[00000030h]4_2_058B7505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05954500 mov eax, dword ptr fs:[00000030h]4_2_05954500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955537 mov eax, dword ptr fs:[00000030h]4_2_05955537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h]4_2_058AE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h]4_2_0592F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h]4_2_058BD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h]4_2_058BD530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890535 mov eax, dword ptr fs:[00000030h]4_2_05890535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593B52F mov eax, dword ptr fs:[00000030h]4_2_0593B52F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h]4_2_0588D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888550 mov eax, dword ptr fs:[00000030h]4_2_05888550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888550 mov eax, dword ptr fs:[00000030h]4_2_05888550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B656A mov eax, dword ptr fs:[00000030h]4_2_058B656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B562 mov eax, dword ptr fs:[00000030h]4_2_0587B562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h]4_2_058BB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h]4_2_058BB570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B480 mov eax, dword ptr fs:[00000030h]4_2_0587B480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05889486 mov eax, dword ptr fs:[00000030h]4_2_05889486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05889486 mov eax, dword ptr fs:[00000030h]4_2_05889486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590A4B0 mov eax, dword ptr fs:[00000030h]4_2_0590A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058864AB mov eax, dword ptr fs:[00000030h]4_2_058864AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B34B0 mov eax, dword ptr fs:[00000030h]4_2_058B34B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B44B0 mov ecx, dword ptr fs:[00000030h]4_2_058B44B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059554DB mov eax, dword ptr fs:[00000030h]4_2_059554DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058804E5 mov ecx, dword ptr fs:[00000030h]4_2_058804E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059294E0 mov eax, dword ptr fs:[00000030h]4_2_059294E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A340D mov eax, dword ptr fs:[00000030h]4_2_058A340D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h]4_2_058B8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C427 mov eax, dword ptr fs:[00000030h]4_2_0587C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h]4_2_0587E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA430 mov eax, dword ptr fs:[00000030h]4_2_058BA430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F453 mov eax, dword ptr fs:[00000030h]4_2_0593F453
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h]4_2_0588B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h]4_2_058BE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A245A mov eax, dword ptr fs:[00000030h]4_2_058A245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587645D mov eax, dword ptr fs:[00000030h]4_2_0587645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881460 mov eax, dword ptr fs:[00000030h]4_2_05881460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h]4_2_0589F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595547F mov eax, dword ptr fs:[00000030h]4_2_0595547F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h]4_2_058AA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F78A mov eax, dword ptr fs:[00000030h]4_2_0593F78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059537B6 mov eax, dword ptr fs:[00000030h]4_2_059537B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058807AF mov eax, dword ptr fs:[00000030h]4_2_058807AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059097A9 mov eax, dword ptr fs:[00000030h]4_2_059097A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD7B0 mov eax, dword ptr fs:[00000030h]4_2_058AD7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h]4_2_0587F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h]4_2_0590F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588C7C0 mov eax, dword ptr fs:[00000030h]4_2_0588C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h]4_2_058857C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h]4_2_058A27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588D7E0 mov ecx, dword ptr fs:[00000030h]4_2_0588D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058847FB mov eax, dword ptr fs:[00000030h]4_2_058847FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058847FB mov eax, dword ptr fs:[00000030h]4_2_058847FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885702 mov eax, dword ptr fs:[00000030h]4_2_05885702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885702 mov eax, dword ptr fs:[00000030h]4_2_05885702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05887703 mov eax, dword ptr fs:[00000030h]4_2_05887703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC700 mov eax, dword ptr fs:[00000030h]4_2_058BC700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h]4_2_058BF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h]4_2_058BF71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880710 mov eax, dword ptr fs:[00000030h]4_2_05880710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0710 mov eax, dword ptr fs:[00000030h]4_2_058B0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883720 mov eax, dword ptr fs:[00000030h]4_2_05883720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h]4_2_0595B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h]4_2_0589F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h]4_2_058BC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h]4_2_058BC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588973A mov eax, dword ptr fs:[00000030h]4_2_0588973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588973A mov eax, dword ptr fs:[00000030h]4_2_0588973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov eax, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov ecx, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B273C mov eax, dword ptr fs:[00000030h]4_2_058B273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879730 mov eax, dword ptr fs:[00000030h]4_2_05879730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879730 mov eax, dword ptr fs:[00000030h]4_2_05879730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F72E mov eax, dword ptr fs:[00000030h]4_2_0593F72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FC730 mov eax, dword ptr fs:[00000030h]4_2_058FC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594972B mov eax, dword ptr fs:[00000030h]4_2_0594972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B5734 mov eax, dword ptr fs:[00000030h]4_2_058B5734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05904755 mov eax, dword ptr fs:[00000030h]4_2_05904755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov esi, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov eax, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B674D mov eax, dword ptr fs:[00000030h]4_2_058B674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05893740 mov eax, dword ptr fs:[00000030h]4_2_05893740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05880750 mov eax, dword ptr fs:[00000030h]4_2_05880750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h]4_2_058C2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h]4_2_058C2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05953749 mov eax, dword ptr fs:[00000030h]4_2_05953749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h]4_2_0587B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05888770 mov eax, dword ptr fs:[00000030h]4_2_05888770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05890770 mov eax, dword ptr fs:[00000030h]4_2_05890770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05884690 mov eax, dword ptr fs:[00000030h]4_2_05884690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05884690 mov eax, dword ptr fs:[00000030h]4_2_05884690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590368C mov eax, dword ptr fs:[00000030h]4_2_0590368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h]4_2_0587D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h]4_2_0587D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BC6A6 mov eax, dword ptr fs:[00000030h]4_2_058BC6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h]4_2_058776B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B66B0 mov eax, dword ptr fs:[00000030h]4_2_058B66B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B16CF mov eax, dword ptr fs:[00000030h]4_2_058B16CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h]4_2_0588B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA6C7 mov ebx, dword ptr fs:[00000030h]4_2_058BA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA6C7 mov eax, dword ptr fs:[00000030h]4_2_058BA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593F6C7 mov eax, dword ptr fs:[00000030h]4_2_0593F6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059416CC mov eax, dword ptr fs:[00000030h]4_2_059416CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h]4_2_059006F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h]4_2_059006F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593D6F0 mov eax, dword ptr fs:[00000030h]4_2_0593D6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B36EF mov eax, dword ptr fs:[00000030h]4_2_058B36EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h]4_2_058AD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h]4_2_058AD6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h]4_2_058FE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059136EE mov eax, dword ptr fs:[00000030h]4_2_059136EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589260B mov eax, dword ptr fs:[00000030h]4_2_0589260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058FE609 mov eax, dword ptr fs:[00000030h]4_2_058FE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BF603 mov eax, dword ptr fs:[00000030h]4_2_058BF603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B1607 mov eax, dword ptr fs:[00000030h]4_2_058B1607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C2619 mov eax, dword ptr fs:[00000030h]4_2_058C2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883616 mov eax, dword ptr fs:[00000030h]4_2_05883616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05883616 mov eax, dword ptr fs:[00000030h]4_2_05883616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h]4_2_0587F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955636 mov eax, dword ptr fs:[00000030h]4_2_05955636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588262C mov eax, dword ptr fs:[00000030h]4_2_0588262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B6620 mov eax, dword ptr fs:[00000030h]4_2_058B6620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B8620 mov eax, dword ptr fs:[00000030h]4_2_058B8620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E627 mov eax, dword ptr fs:[00000030h]4_2_0589E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589C640 mov eax, dword ptr fs:[00000030h]4_2_0589C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h]4_2_058BA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h]4_2_058BA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h]4_2_058B9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h]4_2_058B9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594866E mov eax, dword ptr fs:[00000030h]4_2_0594866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594866E mov eax, dword ptr fs:[00000030h]4_2_0594866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B2674 mov eax, dword ptr fs:[00000030h]4_2_058B2674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C0185 mov eax, dword ptr fs:[00000030h]4_2_058C0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0590019F mov eax, dword ptr fs:[00000030h]4_2_0590019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h]4_2_0587A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h]4_2_0593C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h]4_2_0593C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D7190 mov eax, dword ptr fs:[00000030h]4_2_058D7190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h]4_2_059311A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589B1B0 mov eax, dword ptr fs:[00000030h]4_2_0589B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h]4_2_059461C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h]4_2_059461C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD1D0 mov eax, dword ptr fs:[00000030h]4_2_058BD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058BD1D0 mov ecx, dword ptr fs:[00000030h]4_2_058BD1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059551CB mov eax, dword ptr fs:[00000030h]4_2_059551CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h]4_2_058A51EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058851ED mov eax, dword ptr fs:[00000030h]4_2_058851ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059561E5 mov eax, dword ptr fs:[00000030h]4_2_059561E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B01F8 mov eax, dword ptr fs:[00000030h]4_2_058B01F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05940115 mov eax, dword ptr fs:[00000030h]4_2_05940115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov ecx, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h]4_2_0592A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B0124 mov eax, dword ptr fs:[00000030h]4_2_058B0124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h]4_2_0587B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881131 mov eax, dword ptr fs:[00000030h]4_2_05881131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05881131 mov eax, dword ptr fs:[00000030h]4_2_05881131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955152 mov eax, dword ptr fs:[00000030h]4_2_05955152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05879148 mov eax, dword ptr fs:[00000030h]4_2_05879148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C156 mov eax, dword ptr fs:[00000030h]4_2_0587C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov ecx, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05914144 mov eax, dword ptr fs:[00000030h]4_2_05914144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05887152 mov eax, dword ptr fs:[00000030h]4_2_05887152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05886154 mov eax, dword ptr fs:[00000030h]4_2_05886154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05886154 mov eax, dword ptr fs:[00000030h]4_2_05886154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05919179 mov eax, dword ptr fs:[00000030h]4_2_05919179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h]4_2_0587F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588208A mov eax, dword ptr fs:[00000030h]4_2_0588208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587D08D mov eax, dword ptr fs:[00000030h]4_2_0587D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B909C mov eax, dword ptr fs:[00000030h]4_2_058B909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h]4_2_058AD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h]4_2_058AD090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05885096 mov eax, dword ptr fs:[00000030h]4_2_05885096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059460B8 mov eax, dword ptr fs:[00000030h]4_2_059460B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059460B8 mov ecx, dword ptr fs:[00000030h]4_2_059460B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h]4_2_058970C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059550D9 mov eax, dword ptr fs:[00000030h]4_2_059550D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_059020DE mov eax, dword ptr fs:[00000030h]4_2_059020DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A90DB mov eax, dword ptr fs:[00000030h]4_2_058A90DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058880E9 mov eax, dword ptr fs:[00000030h]4_2_058880E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0587A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A50E4 mov eax, dword ptr fs:[00000030h]4_2_058A50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A50E4 mov ecx, dword ptr fs:[00000030h]4_2_058A50E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C0F0 mov eax, dword ptr fs:[00000030h]4_2_0587C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058C20F0 mov ecx, dword ptr fs:[00000030h]4_2_058C20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h]4_2_0589E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587A020 mov eax, dword ptr fs:[00000030h]4_2_0587A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587C020 mov eax, dword ptr fs:[00000030h]4_2_0587C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0594903E mov eax, dword ptr fs:[00000030h]4_2_0594903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592705E mov ebx, dword ptr fs:[00000030h]4_2_0592705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0592705E mov eax, dword ptr fs:[00000030h]4_2_0592705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05882050 mov eax, dword ptr fs:[00000030h]4_2_05882050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AB052 mov eax, dword ptr fs:[00000030h]4_2_058AB052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05955060 mov eax, dword ptr fs:[00000030h]4_2_05955060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov ecx, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05891070 mov eax, dword ptr fs:[00000030h]4_2_05891070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058AC073 mov eax, dword ptr fs:[00000030h]4_2_058AC073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A438F mov eax, dword ptr fs:[00000030h]4_2_058A438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A438F mov eax, dword ptr fs:[00000030h]4_2_058A438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0595539D mov eax, dword ptr fs:[00000030h]4_2_0595539D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h]4_2_0587E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_05878397 mov eax, dword ptr fs:[00000030h]4_2_05878397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A mov eax, dword ptr fs:[00000030h]4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058D739A mov eax, dword ptr fs:[00000030h]4_2_058D739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h]4_2_058B33A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h]4_2_058B33A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058A33A5 mov eax, dword ptr fs:[00000030h]4_2_058A33A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593B3D0 mov ecx, dword ptr fs:[00000030h]4_2_0593B3D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h]4_2_0588A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058883C0 mov eax, dword ptr fs:[00000030h]4_2_058883C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058883C0 mov eax, dword ptr fs:[00000030h]4_2_058883C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058883C0 mov eax, dword ptr fs:[00000030h]4_2_058883C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058883C0 mov eax, dword ptr fs:[00000030h]4_2_058883C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_0593C3CD mov eax, dword ptr fs:[00000030h]4_2_0593C3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058903E9 mov eax, dword ptr fs:[00000030h]4_2_058903E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058903E9 mov eax, dword ptr fs:[00000030h]4_2_058903E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058903E9 mov eax, dword ptr fs:[00000030h]4_2_058903E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeCode function: 4_2_058903E9 mov eax, dword ptr fs:[00000030h]4_2_058903E9
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: PO-SINCO-PDF.exe, ---.csReference to suspicious API methods: LoadLibrary(_FDC9_06FE_FD45_06EB(0))
            Source: PO-SINCO-PDF.exe, ---.csReference to suspicious API methods: GetProcAddress(_061C_FBCA_FDE5_FDE6_064E_0609_FBB3, _FDC9_06FE_FD45_06EB(12))
            Source: PO-SINCO-PDF.exe, ---.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_06E8_061D.Count, 64u, out _061D_06DA_FDEA_FDED_FBBD_0607)
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 4FED008Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeQueries volume information: C:\Users\user\Desktop\PO-SINCO-PDF.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: C:\Users\user\Desktop\PO-SINCO-PDF.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API
            1
            DLL Side-Loading
            311
            Process Injection
            21
            Disable or Modify Tools
            OS Credential Dumping131
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            41
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
            Process Injection
            Security Account Manager41
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information
            LSA Secrets1
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain Credentials12
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538504 Sample: PO-SINCO-PDF.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 7 PO-SINCO-PDF.exe 1 3 2->7         started        process3 signatures4 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->34 36 Writes to foreign memory regions 7->36 38 Allocates memory in foreign processes 7->38 40 3 other signatures 7->40 10 powershell.exe 23 7->10         started        13 WerFault.exe 19 16 7->13         started        16 ngen.exe 7->16         started        18 ngen.exe 7->18         started        process5 file6 42 Loading BitLocker PowerShell Module 10->42 20 conhost.exe 10->20         started        22 WmiPrvSE.exe 10->22         started        24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 13->24 dropped signatures7 process8

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            PO-SINCO-PDF.exe50%ReversingLabsWin64.Trojan.Swotter
            PO-SINCO-PDF.exe100%AviraTR/AD.Swotter.ujscr
            PO-SINCO-PDF.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.8.drfalse
            • URL Reputation: safe
            unknown
            No contacted IP infos
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1538504
            Start date and time:2024-10-21 13:16:06 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 51s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PO-SINCO-PDF.exe
            Detection:MAL
            Classification:mal100.troj.expl.evad.winEXE@10/10@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 82%
            • Number of executed functions: 22
            • Number of non-executed functions: 239
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.189.173.22
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • VT rate limit hit for: PO-SINCO-PDF.exe
            TimeTypeDescription
            07:17:08API Interceptor23x Sleep call for process: powershell.exe modified
            07:17:16API Interceptor1x Sleep call for process: WerFault.exe modified
            07:17:38API Interceptor3x Sleep call for process: ngen.exe modified
            No context
            No context
            No context
            No context
            No context
            Process:C:\Windows\System32\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.1534357349203241
            Encrypted:false
            SSDEEP:192:Mxbd+aKo0UnUFaWBHaWrpmIdzuiFVZ24lO8+:kKDUnUFamHajIzuiFVY4lO8+
            MD5:DF02CE3679EDE8B88F00AC1A3FC18812
            SHA1:D71860DCF25A1CAFC1E3B5010E70C7562522DDF2
            SHA-256:CC1B4274D4091ADF8EE93D3B3FD807C898D2DD890506CB10BE5AF5A5B2384EEC
            SHA-512:8470CC542599FD3B238EABF1B099878EF2FAFE2050C6C81C90846692536238771DBA388CD9F909E5B8D89540803D0415F658A024A16E69A7F03BECE0B9FE481B
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.9.8.3.0.2.6.9.5.3.1.3.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.9.8.3.0.2.8.5.6.2.5.2.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.6.f.f.d.4.c.-.7.b.e.e.-.4.f.4.d.-.b.b.9.8.-.9.8.c.e.c.e.3.c.b.9.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.6.7.5.8.3.8.-.9.8.7.e.-.4.7.8.a.-.a.8.9.c.-.2.e.6.b.4.c.e.4.a.f.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.O.-.S.I.N.C.O.-.P.D.F...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.4.-.0.0.0.1.-.0.0.1.4.-.f.b.d.7.-.9.8.c.1.a.a.2.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.d.c.8.e.a.3.a.a.0.d.5.b.0.2.3.7.3.f.8.4.7.2.1.8.8.b.a.8.1.8.6.0.0.0.0.f.f.f.f.!.0.0.0.0.0.4.f.b.9.b.8.1.b.3.a.5.b.c.1.2.a.5.9.1.8.2.9.f.e.3.2.f.0.3.2.0.0.3.3.7.1.3.9.3.!.P.O.-.S.I.N.C.O.-.P.D.F...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0.
            Process:C:\Windows\System32\WerFault.exe
            File Type:Mini DuMP crash report, 16 streams, Mon Oct 21 11:17:07 2024, 0x1205a4 type
            Category:dropped
            Size (bytes):471150
            Entropy (8bit):3.1390285426282305
            Encrypted:false
            SSDEEP:3072:gHIFZJGLIvsFT1CCq6oxFI3+v4zzEa6L4FJE1cSEWCcZlSgkl+J0:geZJGLkiqS3Qc6PEWNnG
            MD5:3E352ACC6EF435115A77C3488607F833
            SHA1:DAF3725BC4FEB3D440249069093E755812889154
            SHA-256:332A0244559855A4B61E8CE37EF3B8CB2955F7D70370CC8D9C025F4EACDD739A
            SHA-512:D4E3A9A8DA86DE2F16BB4BE983FA0145EA5FD7A2D1981B7D727F54D8D2CAA9D6B64F09ADD3DFC005970063B68C91A818072480A1ACF102821EED2C446AF2DE49
            Malicious:false
            Reputation:low
            Preview:MDMP..a..... .......38.g............t.......................$...p%...........%......$N..............l.......8...........T...........(8..F............C...........E..............................................................................eJ......,F......Lw......................T.......$.../8.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8606
            Entropy (8bit):3.7144139503105817
            Encrypted:false
            SSDEEP:192:R6l7wVeJJmf6YSuKegmfjMwpr189bBbtXfYbR7jm:R6lXJ4f6YbKegmfjM3BbtfE6
            MD5:46C34D13EC27A172B9B60A2FC78F0DB7
            SHA1:94A965678BCF3B09BB246FACF09C94E570F5A06E
            SHA-256:F53CD7AE169557841AB8F9580BF2720EE9CB6796291FEA459D67A025A1AF1A6A
            SHA-512:46404C923886278DA02994C6ACCBF5E19593D4728A6BFC45E33630F3BD3E5AADA670DD59B0EE5A8F92ED54B11433E31EDB49E6586CEF1C0D80CB6D2BA685C4BA
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.0.<./.P.i.
            Process:C:\Windows\System32\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4703
            Entropy (8bit):4.541993759756208
            Encrypted:false
            SSDEEP:48:cvIwWl8zsBJg771I9BWWpW8VYUHPYm8M4JwasQFboyq85QExrUIXid:uIjfTI7+37VzHSJwHUxrUIXid
            MD5:77620C7F59F384EB5081F01320005710
            SHA1:D6A5C0CFA968BBF16EC110BDE2F80532B3AC40E5
            SHA-256:0295644605E9F8908A0F30B3BE05ECA19EA00EEC1B596C35E58FB6C2CE1CE6D5
            SHA-512:E5F512362DA5AC7010E8C25E010F9F7F1EE1050C7E5FFFA97F17B75BA81CC22D32B2180F2D25B713CF914562E7A6E029E368F4D9B40D91AB3801B84A42E5D5BA
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="553099" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):1.1940658735648508
            Encrypted:false
            SSDEEP:3:NlllulxmH/lZ:NllUg
            MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
            SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
            SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
            SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e................................. ..............@..........
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode
            Process:C:\Windows\System32\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.37226329880328
            Encrypted:false
            SSDEEP:6144:oFVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguNLiL:QV1iyWWI/glMM6kF7Zq
            MD5:FDE277A4DC5F6113CEE35A243EA6E596
            SHA1:77FAC6F5E2ADDF096AAD0FC18EC9050FC707F205
            SHA-256:AA323942041164BAECC317E1F766FCDC0E21B46DF8CE6331EB0ABA4EC8C58774
            SHA-512:CCDBDBA05A5ED0B3B0E7584D1740ADF1C3F357D6A6201033D02FB751182E7DE4D7DAAE747B888BEABEC75DB46D7B9EA433369A8DDFE8EE9AF125D1F9DD3036AA
            Malicious:false
            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..o.#................................................................................................................................................................................................................................................................................................................................................x.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.085910440903904
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:PO-SINCO-PDF.exe
            File size:1'394'775 bytes
            MD5:d211d2330e29f7b1a0347e9041fed469
            SHA1:04fb9b81b3a5bc12a591829fe32f032003371393
            SHA256:bf7bccbcb60997695061aa9e272cdd14400b5e64727a826baa26f22a41757069
            SHA512:9fc73f600284265746bacc9052efb6a08731a339b0a7b67827d81ea7722f8e2e84fce2cfe4ef8cf8ef1a914e7c667e42a7cca108203c46a80a9696eff968b6f5
            SSDEEP:12288:0+hzChGCSH40QTVYMdmE8b+9ZuxYbNOfI6oBxeuP1lSNpbPqUrav29fY:0GChmY0QVl99Z2YxORCeiqfhfY
            TLSH:D65512127D4B8C93FD4A1A32E8C4B1F486FC9F6370F9849FEF564D8894041BE2965A72
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=.g.........."...0..+............... ....@...... .......................`............@................................
            Icon Hash:00928e8e8686b000
            Entrypoint:0x400000
            Entrypoint Section:
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x67123D8F [Fri Oct 18 10:50:55 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:
            Instruction
            dec ebp
            pop edx
            nop
            add byte ptr [ebx], al
            add byte ptr [eax], al
            add byte ptr [eax+eax], al
            add byte ptr [eax], al
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x2b1a0x2c00998ba3545683c2d627b41313f17cb06aFalse0.6457741477272727data6.147838511010182IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            No network behavior found

            Click to jump to process

            Click to jump to process

            Click to dive into process behavior distribution

            Click to jump to process

            Target ID:0
            Start time:07:17:03
            Start date:21/10/2024
            Path:C:\Users\user\Desktop\PO-SINCO-PDF.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\PO-SINCO-PDF.exe"
            Imagebase:0x990000
            File size:1'394'775 bytes
            MD5 hash:D211D2330E29F7B1A0347E9041FED469
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1555948913.0000000003073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            Target ID:2
            Start time:07:17:06
            Start date:21/10/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force
            Imagebase:0x7ff6cb6b0000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Target ID:3
            Start time:07:17:06
            Start date:21/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Target ID:4
            Start time:07:17:06
            Start date:21/10/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            Imagebase:0x500000
            File size:144'344 bytes
            MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1799357610.0000000005270000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:true

            Target ID:5
            Start time:07:17:06
            Start date:21/10/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
            Wow64 process (32bit):
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            Imagebase:
            File size:144'344 bytes
            MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:false

            Target ID:8
            Start time:07:17:06
            Start date:21/10/2024
            Path:C:\Windows\System32\WerFault.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WerFault.exe -u -p 7460 -s 896
            Imagebase:0x7ff6b11b0000
            File size:570'736 bytes
            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Target ID:10
            Start time:07:17:11
            Start date:21/10/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff605670000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Reset < >

              Execution Graph

              Execution Coverage:11.7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:3
              Total number of Limit Nodes:0
              execution_graph 14481 7ffb4b333fce 14482 7ffb4b333fdd VirtualProtect 14481->14482 14484 7ffb4b334129 14482->14484

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 7ffb4b33cb19-7ffb4b33cb39 2 7ffb4b33cb3b-7ffb4b33cb64 0->2 3 7ffb4b33cb83-7ffb4b33cb9a call 7ffb4b338150 call 7ffb4b338cb0 0->3 4 7ffb4b33cc2a 2->4 5 7ffb4b33cb6a-7ffb4b33cb81 2->5 3->4 13 7ffb4b33cba0-7ffb4b33cbae 3->13 8 7ffb4b33cc2e-7ffb4b33cc3b 4->8 5->3 10 7ffb4b33cc7d-7ffb4b33cc7f 8->10 11 7ffb4b33cc3d-7ffb4b33cc4a 8->11 15 7ffb4b33cc81-7ffb4b33cc89 10->15 16 7ffb4b33ccc0-7ffb4b33cce3 call 7ffb4b338150 10->16 14 7ffb4b33cc4f-7ffb4b33cc5c 11->14 17 7ffb4b33cbb0-7ffb4b33cbb2 13->17 18 7ffb4b33cc1f-7ffb4b33cc29 13->18 19 7ffb4b33cc5e-7ffb4b33cc65 14->19 20 7ffb4b33cca6-7ffb4b33ccbf call 7ffb4b33c080 * 2 14->20 21 7ffb4b33cebc-7ffb4b33cecf 15->21 22 7ffb4b33cc8f-7ffb4b33cca5 15->22 16->21 32 7ffb4b33cce9-7ffb4b33cd04 16->32 17->8 24 7ffb4b33cbb4 17->24 25 7ffb4b33cc66-7ffb4b33cc7c 19->25 20->16 39 7ffb4b33cf11-7ffb4b33cf1c 21->39 40 7ffb4b33ced1-7ffb4b33cefb 21->40 22->20 28 7ffb4b33cbb6-7ffb4b33cbbf 24->28 29 7ffb4b33cbfa-7ffb4b33cc08 24->29 25->10 35 7ffb4b33cbc1-7ffb4b33cbde 28->35 36 7ffb4b33cc18-7ffb4b33cc1e 28->36 29->4 37 7ffb4b33cc0a-7ffb4b33cc16 29->37 33 7ffb4b33cd5d-7ffb4b33cd67 32->33 34 7ffb4b33cd06-7ffb4b33cd09 32->34 44 7ffb4b33cddf-7ffb4b33cde7 33->44 41 7ffb4b33cd0b-7ffb4b33cd1c 34->41 42 7ffb4b33cd8a-7ffb4b33cd8b 34->42 35->14 49 7ffb4b33cbe0-7ffb4b33cbe5 35->49 36->18 37->36 45 7ffb4b33cf1e-7ffb4b33cf2a 39->45 46 7ffb4b33cf2d-7ffb4b33cf4c 39->46 53 7ffb4b33cefd-7ffb4b33cf06 40->53 54 7ffb4b33cf09-7ffb4b33cf0f 40->54 50 7ffb4b33cd8e-7ffb4b33cdc4 41->50 59 7ffb4b33cd1e-7ffb4b33cd2b 41->59 42->50 55 7ffb4b33cde9-7ffb4b33cdee 44->55 56 7ffb4b33ce58-7ffb4b33ce6b 44->56 45->46 51 7ffb4b33cf4e-7ffb4b33cf5a 46->51 52 7ffb4b33cf5d-7ffb4b33cf76 46->52 49->25 60 7ffb4b33cbe7-7ffb4b33cbf9 call 7ffb4b3384e0 49->60 50->44 51->52 62 7ffb4b33cf86-7ffb4b33cf9b 52->62 63 7ffb4b33cf78-7ffb4b33cf83 52->63 53->54 54->39 57 7ffb4b33cdf0-7ffb4b33ce34 call 7ffb4b3384e0 55->57 58 7ffb4b33ce6f-7ffb4b33ce7b call 7ffb4b3352c0 55->58 56->58 57->21 75 7ffb4b33ce3a-7ffb4b33ce57 57->75 72 7ffb4b33ce80-7ffb4b33ce90 58->72 65 7ffb4b33cd2d-7ffb4b33cd3b 59->65 66 7ffb4b33cd69-7ffb4b33cd88 59->66 60->29 63->62 65->33 66->42 77 7ffb4b33cdc6-7ffb4b33cddb 66->77 72->21 76 7ffb4b33ce92-7ffb4b33cebb 72->76 75->56 77->44
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: HG?K$HG?K$HG?K$HG?K
              • API String ID: 0-4031783910
              • Opcode ID: 72c9ef8db497aac3fed8303b102e21672ffca5e3c959bf46316c99c6fd990530
              • Instruction ID: deb8962a2a402cb79cf2c2496eb86b05cd09434936652219013c01bdb73e6c38
              • Opcode Fuzzy Hash: 72c9ef8db497aac3fed8303b102e21672ffca5e3c959bf46316c99c6fd990530
              • Instruction Fuzzy Hash: 29E1697290CB864FE319DB39C4911B2B7D2FF95701B5486BED5CAC72B1DE28A846C780

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 119 7ffb4b33cfa1-7ffb4b33cfdb 121 7ffb4b33d06c-7ffb4b33d07f 119->121 122 7ffb4b33cfe1-7ffb4b33d026 call 7ffb4b33c080 call 7ffb4b338150 119->122 126 7ffb4b33d0c1-7ffb4b33d0c4 121->126 127 7ffb4b33d081-7ffb4b33d099 121->127 122->121 135 7ffb4b33d028-7ffb4b33d046 122->135 131 7ffb4b33d166-7ffb4b33d177 126->131 132 7ffb4b33d0c5-7ffb4b33d0e1 126->132 129 7ffb4b33d09b-7ffb4b33d0bf 127->129 130 7ffb4b33d0e3-7ffb4b33d0fa call 7ffb4b338150 call 7ffb4b338cb0 127->130 129->126 130->131 147 7ffb4b33d0fc-7ffb4b33d10e 130->147 139 7ffb4b33d1b9-7ffb4b33d1c6 131->139 140 7ffb4b33d179-7ffb4b33d187 131->140 132->130 135->121 138 7ffb4b33d048-7ffb4b33d06b 135->138 144 7ffb4b33d263-7ffb4b33d271 139->144 145 7ffb4b33d1c7-7ffb4b33d1d1 139->145 142 7ffb4b33d18a 140->142 146 7ffb4b33d18b-7ffb4b33d199 142->146 157 7ffb4b33d276-7ffb4b33d294 144->157 158 7ffb4b33d273-7ffb4b33d275 144->158 148 7ffb4b33d1d3-7ffb4b33d1d4 145->148 149 7ffb4b33d1d7-7ffb4b33d1e1 145->149 150 7ffb4b33d1e3-7ffb4b33d205 call 7ffb4b33c080 146->150 155 7ffb4b33d19b-7ffb4b33d19e 146->155 147->142 156 7ffb4b33d110 147->156 148->149 149->150 150->144 165 7ffb4b33d207-7ffb4b33d219 150->165 161 7ffb4b33d1a2-7ffb4b33d1b8 155->161 162 7ffb4b33d112-7ffb4b33d11a 156->162 163 7ffb4b33d156-7ffb4b33d165 156->163 164 7ffb4b33d295-7ffb4b33d299 157->164 158->157 161->139 162->146 166 7ffb4b33d11c-7ffb4b33d121 162->166 167 7ffb4b33d29b-7ffb4b33d2c6 164->167 168 7ffb4b33d2e3-7ffb4b33d323 call 7ffb4b33c080 * 2 call 7ffb4b338150 164->168 165->164 175 7ffb4b33d21b 165->175 166->161 170 7ffb4b33d123-7ffb4b33d144 call 7ffb4b3384e0 166->170 172 7ffb4b33d3bc-7ffb4b33d3cf 167->172 173 7ffb4b33d2cc-7ffb4b33d2e0 167->173 168->172 199 7ffb4b33d329-7ffb4b33d35c 168->199 170->131 180 7ffb4b33d146-7ffb4b33d154 170->180 186 7ffb4b33d411 172->186 187 7ffb4b33d3d1-7ffb4b33d3e6 172->187 173->168 178 7ffb4b33d21d-7ffb4b33d23b call 7ffb4b3384e0 175->178 179 7ffb4b33d261-7ffb4b33d262 175->179 178->144 190 7ffb4b33d23d-7ffb4b33d260 178->190 180->163 188 7ffb4b33d412-7ffb4b33d419 186->188 191 7ffb4b33d41b-7ffb4b33d41e 187->191 192 7ffb4b33d3e8 187->192 188->191 190->179 193 7ffb4b33d432-7ffb4b33d43e 191->193 194 7ffb4b33d420-7ffb4b33d430 191->194 196 7ffb4b33d3eb-7ffb4b33d3fe 192->196 197 7ffb4b33d44e-7ffb4b33d457 193->197 198 7ffb4b33d440-7ffb4b33d44b 193->198 194->197 196->188 200 7ffb4b33d400-7ffb4b33d401 196->200 201 7ffb4b33d459-7ffb4b33d45b 197->201 202 7ffb4b33d4c8-7ffb4b33d4d5 197->202 198->197 207 7ffb4b33d35e-7ffb4b33d37a 199->207 208 7ffb4b33d3a5-7ffb4b33d3ae 199->208 204 7ffb4b33d402-7ffb4b33d410 200->204 205 7ffb4b33d45d 201->205 206 7ffb4b33d4d7-7ffb4b33d523 call 7ffb4b33c080 * 2 call 7ffb4b338150 201->206 202->206 204->197 210 7ffb4b33d45f-7ffb4b33d477 call 7ffb4b3384e0 205->210 211 7ffb4b33d4a3-7ffb4b33d4c7 205->211 216 7ffb4b33d629-7ffb4b33d65a 206->216 230 7ffb4b33d529-7ffb4b33d544 206->230 207->196 214 7ffb4b33d37c-7ffb4b33d381 207->214 209 7ffb4b33d3b0-7ffb4b33d3bb 208->209 211->202 211->216 214->204 219 7ffb4b33d383-7ffb4b33d39b 214->219 228 7ffb4b33d65c-7ffb4b33d687 216->228 229 7ffb4b33d6a4-7ffb4b33d6e6 call 7ffb4b33c080 * 2 call 7ffb4b338150 216->229 227 7ffb4b33d3a3 219->227 227->209 231 7ffb4b33d81e-7ffb4b33d873 228->231 232 7ffb4b33d68d-7ffb4b33d6a3 228->232 229->231 257 7ffb4b33d6ec-7ffb4b33d70a 229->257 234 7ffb4b33d59d-7ffb4b33d5a6 230->234 235 7ffb4b33d546-7ffb4b33d549 230->235 246 7ffb4b33d946-7ffb4b33d951 231->246 247 7ffb4b33d879-7ffb4b33d8ce call 7ffb4b33c080 * 2 call 7ffb4b338150 231->247 232->229 234->216 240 7ffb4b33d5ac-7ffb4b33d5c9 234->240 238 7ffb4b33d54b-7ffb4b33d56b 235->238 239 7ffb4b33d5ca-7ffb4b33d5db 235->239 243 7ffb4b33d56d-7ffb4b33d572 238->243 244 7ffb4b33d5dc-7ffb4b33d5f0 call 7ffb4b33ca50 238->244 239->244 240->239 248 7ffb4b33d574-7ffb4b33d598 call 7ffb4b3384e0 243->248 249 7ffb4b33d5f3-7ffb4b33d5ff 243->249 244->249 262 7ffb4b33d956-7ffb4b33d99b 246->262 263 7ffb4b33d953-7ffb4b33d955 246->263 247->246 290 7ffb4b33d8d0-7ffb4b33d8fb 247->290 248->234 249->216 253 7ffb4b33d601-7ffb4b33d628 249->253 257->231 261 7ffb4b33d710-7ffb4b33d72a 257->261 265 7ffb4b33d72c-7ffb4b33d72f 261->265 266 7ffb4b33d783 261->266 267 7ffb4b33d9a1-7ffb4b33d9e1 call 7ffb4b33c080 call 7ffb4b338150 262->267 268 7ffb4b33da25-7ffb4b33da37 262->268 263->262 270 7ffb4b33d731-7ffb4b33d74a 265->270 271 7ffb4b33d7b0-7ffb4b33d7f2 call 7ffb4b33ca50 265->271 273 7ffb4b33d785-7ffb4b33d78a 266->273 274 7ffb4b33d7f4 266->274 267->268 299 7ffb4b33d9e3-7ffb4b33da24 call 7ffb4b339fc0 267->299 285 7ffb4b33da79-7ffb4b33daa3 call 7ffb4b339320 268->285 286 7ffb4b33da39-7ffb4b33da77 268->286 278 7ffb4b33d74c-7ffb4b33d763 270->278 279 7ffb4b33d765-7ffb4b33d777 270->279 271->274 281 7ffb4b33d78c-7ffb4b33d7ab call 7ffb4b3384e0 273->281 282 7ffb4b33d80b-7ffb4b33d81d 273->282 274->231 276 7ffb4b33d7f6-7ffb4b33d809 274->276 276->282 287 7ffb4b33d77b-7ffb4b33d781 278->287 279->287 281->271 286->285 287->266 296 7ffb4b33d8fd-7ffb4b33d90f 290->296 297 7ffb4b33d93a-7ffb4b33d945 290->297 296->246 300 7ffb4b33d911-7ffb4b33d937 296->300 300->297
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: HG?K$HG?K
              • API String ID: 0-1028358438
              • Opcode ID: d4957ed980c7affd0a18df48d566f3bc7ffc2e4d605f9ee94614b7e655bdcba7
              • Instruction ID: a5f03d739a1b9ffd1d41fbc4c94c7372e0abccf3a71d1fc5850597fa5fd49fc7
              • Opcode Fuzzy Hash: d4957ed980c7affd0a18df48d566f3bc7ffc2e4d605f9ee94614b7e655bdcba7
              • Instruction Fuzzy Hash: E18203B151CB4A4FE359EF38C4904A2B7E1FF85305B1485BED58AC72A6DA38F846C781

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 306 7ffb4b3401e8-7ffb4b3401fa 307 7ffb4b3401fc-7ffb4b340227 306->307 308 7ffb4b340244-7ffb4b340286 call 7ffb4b33c080 * 2 call 7ffb4b338150 306->308 309 7ffb4b34022d-7ffb4b340243 307->309 310 7ffb4b3403bb-7ffb4b3403ea 307->310 308->310 325 7ffb4b34028c-7ffb4b3402aa 308->325 309->308 319 7ffb4b3403ec-7ffb4b340417 310->319 320 7ffb4b340434-7ffb4b340473 call 7ffb4b33c080 * 2 call 7ffb4b338150 310->320 322 7ffb4b34041d-7ffb4b340433 319->322 323 7ffb4b340577-7ffb4b3405a9 319->323 320->323 355 7ffb4b340479-7ffb4b340494 320->355 322->320 340 7ffb4b3405ab-7ffb4b3405d6 323->340 341 7ffb4b3405f3-7ffb4b34060d call 7ffb4b33c080 323->341 325->310 327 7ffb4b3402b0-7ffb4b3402ca 325->327 330 7ffb4b3402cc-7ffb4b3402cf 327->330 331 7ffb4b340323-7ffb4b340327 327->331 332 7ffb4b3402d1-7ffb4b3402ea 330->332 333 7ffb4b340350-7ffb4b34038f call 7ffb4b33ca50 330->333 335 7ffb4b340329-7ffb4b34034f call 7ffb4b3384e0 331->335 336 7ffb4b3403a8-7ffb4b3403ba 331->336 338 7ffb4b3402ec-7ffb4b340301 332->338 339 7ffb4b340303-7ffb4b340314 332->339 352 7ffb4b340391 333->352 335->333 344 7ffb4b340318-7ffb4b340320 338->344 339->344 345 7ffb4b3405dc-7ffb4b3405ef 340->345 346 7ffb4b3406a5-7ffb4b3406b7 340->346 365 7ffb4b34060f-7ffb4b34061c 341->365 366 7ffb4b340646-7ffb4b34065d 341->366 351 7ffb4b340322 344->351 344->352 345->341 367 7ffb4b3406f9-7ffb4b340707 346->367 368 7ffb4b3406b9-7ffb4b3406ca 346->368 351->331 352->310 361 7ffb4b340393-7ffb4b3403a6 352->361 356 7ffb4b3404ed-7ffb4b3404f4 355->356 357 7ffb4b340496-7ffb4b340499 355->357 356->323 364 7ffb4b3404fa-7ffb4b340517 356->364 362 7ffb4b34049b-7ffb4b3404b9 357->362 363 7ffb4b34051a-7ffb4b340529 357->363 361->336 371 7ffb4b3404bb-7ffb4b3404c0 362->371 372 7ffb4b34052a-7ffb4b34053e call 7ffb4b33ca50 362->372 363->372 364->363 373 7ffb4b34061e-7ffb4b340644 365->373 374 7ffb4b340681-7ffb4b3406a4 365->374 375 7ffb4b3406ce-7ffb4b3406da 366->375 389 7ffb4b34065f-7ffb4b340664 366->389 369 7ffb4b34085e-7ffb4b340873 367->369 370 7ffb4b34070d-7ffb4b340721 367->370 368->375 398 7ffb4b340875-7ffb4b34088b 369->398 376 7ffb4b340724-7ffb4b34075f call 7ffb4b33c080 * 2 call 7ffb4b33e1d0 370->376 377 7ffb4b3404c2-7ffb4b3404e6 call 7ffb4b3384e0 371->377 378 7ffb4b340541-7ffb4b34054d 371->378 372->378 373->366 374->346 375->376 383 7ffb4b3406dc-7ffb4b3406e3 375->383 410 7ffb4b340761-7ffb4b340773 376->410 411 7ffb4b340779-7ffb4b340784 376->411 377->356 378->323 388 7ffb4b34054f-7ffb4b340576 378->388 390 7ffb4b3406e5-7ffb4b3406f6 383->390 389->390 395 7ffb4b340666-7ffb4b340680 call 7ffb4b3384e0 389->395 390->367 404 7ffb4b34088c-7ffb4b3408b9 398->404 405 7ffb4b3408bb-7ffb4b3408cd call 7ffb4b3301b0 404->405 406 7ffb4b3408cf 404->406 409 7ffb4b3408d4-7ffb4b3408d6 405->409 406->409 413 7ffb4b3408e5-7ffb4b340957 409->413 414 7ffb4b3408d8-7ffb4b3408d9 409->414 410->411 419 7ffb4b340796 411->419 420 7ffb4b340786-7ffb4b340794 411->420 440 7ffb4b34095d-7ffb4b3409cb 413->440 441 7ffb4b340a2f-7ffb4b340a36 413->441 414->413 421 7ffb4b340798-7ffb4b34079d 419->421 420->421 422 7ffb4b3407c0-7ffb4b3407d6 421->422 423 7ffb4b34079f-7ffb4b3407be call 7ffb4b333990 421->423 430 7ffb4b3407e5-7ffb4b3407fa call 7ffb4b33ebc0 422->430 431 7ffb4b3407d8-7ffb4b3407d9 422->431 429 7ffb4b3407fe-7ffb4b340804 423->429 429->398 434 7ffb4b340806-7ffb4b34080b 429->434 430->429 431->430 434->404 436 7ffb4b34080d-7ffb4b34083b call 7ffb4b3384e0 call 7ffb4b338150 434->436 436->369 448 7ffb4b34083d-7ffb4b34085d 436->448 456 7ffb4b3409cd-7ffb4b3409d3 call 7ffb4b339ae0 440->456 457 7ffb4b340a26-7ffb4b340a2e call 7ffb4b340a7b 440->457 443 7ffb4b340a53-7ffb4b340a63 441->443 444 7ffb4b340a38-7ffb4b340a45 441->444 449 7ffb4b340a69-7ffb4b340a7a 443->449 444->443 451 7ffb4b340a47-7ffb4b340a51 444->451 451->443 460 7ffb4b3409d8-7ffb4b340a25 456->460 457->441 460->457
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: HG?K$HG?K
              • API String ID: 0-1028358438
              • Opcode ID: 56a6d76d61ee305ea8f7d53f04f2c4983891d4bb9d9733adf67d7906916f68db
              • Instruction ID: c877e92e3f9dfedf67960c24e3d768265c9bf8e98069cc014d7a0e02b6ad9184
              • Opcode Fuzzy Hash: 56a6d76d61ee305ea8f7d53f04f2c4983891d4bb9d9733adf67d7906916f68db
              • Instruction Fuzzy Hash: 2262117160CB594FE759EF38C4915B57BE1FF95300B0485BEE58AC32A2DE28E846CB81

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: fish$pj<K
              • API String ID: 0-3073414872
              • Opcode ID: dbf8a9960a9d24bc1d9cb706f623d904c1f9c84724bb5c7b06014ca9ba28ed25
              • Instruction ID: 155c8119831db37ef2490656dbb9931da594998f62ab66a42e0aca352432dba7
              • Opcode Fuzzy Hash: dbf8a9960a9d24bc1d9cb706f623d904c1f9c84724bb5c7b06014ca9ba28ed25
              • Instruction Fuzzy Hash: 06D16A72A1CB4A0FE75DAF39C86517A77E1FF95310B0542BED58BC31A2DD28AC428381
              Memory Dump Source
              • Source File: 00000000.00000002.1563404679.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b400000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d1487d125d6bec944ff401e1b9ea2d27752e1438dc00bf77196ee86762fc109
              • Instruction ID: 898f889b6595da297e9f336f2057a9c7b349aa129b5a66c76073dd37db141ec0
              • Opcode Fuzzy Hash: 7d1487d125d6bec944ff401e1b9ea2d27752e1438dc00bf77196ee86762fc109
              • Instruction Fuzzy Hash: 87E2F7B280DBCA4FEB56EF38C8555A47FE0EF56304F0941FAD589CB1A3D9286806C791

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 932 7ffb4b33a830-7ffb4b33a880 936 7ffb4b33a88c-7ffb4b33a8c8 932->936 937 7ffb4b33a882-7ffb4b33a887 call 7ffb4b333340 932->937 940 7ffb4b33a8ce-7ffb4b33a8d7 936->940 941 7ffb4b33aac4-7ffb4b33aad9 936->941 937->936 942 7ffb4b33a94b-7ffb4b33a950 940->942 943 7ffb4b33a8d9-7ffb4b33a8e0 940->943 949 7ffb4b33aadb-7ffb4b33aae2 941->949 950 7ffb4b33aae3-7ffb4b33ab2e 941->950 944 7ffb4b33a9c2-7ffb4b33a9cc 942->944 945 7ffb4b33a952-7ffb4b33a95e 942->945 943->941 947 7ffb4b33a8e6-7ffb4b33a8ff 943->947 953 7ffb4b33a9ee-7ffb4b33a9f6 944->953 954 7ffb4b33a9ce-7ffb4b33a9db call 7ffb4b333360 944->954 945->941 948 7ffb4b33a964-7ffb4b33a977 945->948 951 7ffb4b33a901-7ffb4b33a927 947->951 952 7ffb4b33a929-7ffb4b33a937 947->952 956 7ffb4b33a9f9-7ffb4b33aa04 948->956 949->950 974 7ffb4b33ab4b-7ffb4b33ab5c 950->974 975 7ffb4b33ab30-7ffb4b33ab36 950->975 951->952 961 7ffb4b33a97c-7ffb4b33a97f 951->961 952->941 955 7ffb4b33a93d-7ffb4b33a949 952->955 953->956 967 7ffb4b33a9e0-7ffb4b33a9ec 954->967 955->942 955->943 956->941 960 7ffb4b33aa0a-7ffb4b33aa25 956->960 960->941 963 7ffb4b33aa2b-7ffb4b33aa3f 960->963 964 7ffb4b33a98b-7ffb4b33a996 961->964 965 7ffb4b33a981 961->965 963->941 968 7ffb4b33aa45-7ffb4b33aa56 963->968 964->941 969 7ffb4b33a99c-7ffb4b33a9c1 964->969 965->964 967->953 968->941 976 7ffb4b33aa58-7ffb4b33aa67 968->976 979 7ffb4b33ab5e-7ffb4b33ab69 974->979 980 7ffb4b33ab6d-7ffb4b33ab90 974->980 977 7ffb4b33ab91-7ffb4b33aba8 975->977 978 7ffb4b33ab38-7ffb4b33ab49 975->978 981 7ffb4b33aab2-7ffb4b33aac3 976->981 982 7ffb4b33aa69-7ffb4b33aa74 976->982 990 7ffb4b33ac1e-7ffb4b33acaa 977->990 991 7ffb4b33abaa-7ffb4b33abd1 977->991 978->974 978->975 979->980 982->981 988 7ffb4b33aa76-7ffb4b33aaad call 7ffb4b333360 982->988 988->981 1001 7ffb4b33acbe-7ffb4b33accf 990->1001 1002 7ffb4b33acac-7ffb4b33acbc 990->1002 991->990 1003 7ffb4b33acd1-7ffb4b33acdf 1001->1003 1004 7ffb4b33ace0-7ffb4b33ad11 1001->1004 1002->1001 1002->1002 1003->1004 1008 7ffb4b33ad13-7ffb4b33ad19 1004->1008 1009 7ffb4b33ad68-7ffb4b33ad6f 1004->1009 1008->1009 1010 7ffb4b33ad1b-7ffb4b33ad1c 1008->1010 1011 7ffb4b33ad71-7ffb4b33ad72 1009->1011 1012 7ffb4b33adb0-7ffb4b33add9 1009->1012 1013 7ffb4b33ad1f-7ffb4b33ad22 1010->1013 1014 7ffb4b33ad75-7ffb4b33ad78 1011->1014 1015 7ffb4b33adda-7ffb4b33aded 1013->1015 1016 7ffb4b33ad28-7ffb4b33ad38 1013->1016 1014->1015 1017 7ffb4b33ad7a-7ffb4b33ad8b 1014->1017 1027 7ffb4b33adef-7ffb4b33adf6 1015->1027 1028 7ffb4b33adf7-7ffb4b33ae09 1015->1028 1019 7ffb4b33ad61-7ffb4b33ad66 1016->1019 1020 7ffb4b33ad3a-7ffb4b33ad5d 1016->1020 1021 7ffb4b33ad8d-7ffb4b33ad93 1017->1021 1022 7ffb4b33ada7-7ffb4b33adae 1017->1022 1019->1009 1019->1013 1020->1019 1021->1015 1025 7ffb4b33ad95-7ffb4b33ada3 1021->1025 1022->1012 1022->1014 1025->1022 1027->1028 1029 7ffb4b33ae0a-7ffb4b33ae37 1028->1029 1030 7ffb4b33ae48-7ffb4b33ae49 1028->1030 1032 7ffb4b33ae4b-7ffb4b33ae69 1030->1032 1033 7ffb4b33ae88-7ffb4b33ae89 1030->1033 1037 7ffb4b33ae6b-7ffb4b33ae87 1032->1037 1038 7ffb4b33aea8-7ffb4b33aec7 1032->1038 1035 7ffb4b33ae8b-7ffb4b33ae9a 1033->1035 1036 7ffb4b33aec8-7ffb4b33aec9 1033->1036 1035->1038 1040 7ffb4b33aecb-7ffb4b33aef3 1036->1040 1041 7ffb4b33af08-7ffb4b33af33 1036->1041 1037->1033 1038->1036 1048 7ffb4b33af92-7ffb4b33afb1 1041->1048 1049 7ffb4b33af35-7ffb4b33af37 1041->1049
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: H33K
              • API String ID: 0-1286342959
              • Opcode ID: 8f2d922d6ef747434d58855b0e017722ccd5d3bd6d7c19ed03c7fa87e049c2db
              • Instruction ID: 3daaa0e8e10b21bcd6f0d2d169e9f41389c551c2514b2da38cc8f5d4fcba670f
              • Opcode Fuzzy Hash: 8f2d922d6ef747434d58855b0e017722ccd5d3bd6d7c19ed03c7fa87e049c2db
              • Instruction Fuzzy Hash: 983205B290DB854FE356AF39C9510A67BE0EF5231071885FEC18AC71A3DA19B847C791
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a2fdb20a7e662f25c80097ca3724676260d1cf0137b57de5f8d5ad5858b90b7
              • Instruction ID: 8c5c320f3ad48910c802fc558026edb14c008d8f00d020127fb98d3b3f6fd587
              • Opcode Fuzzy Hash: 5a2fdb20a7e662f25c80097ca3724676260d1cf0137b57de5f8d5ad5858b90b7
              • Instruction Fuzzy Hash: CB62357191CF6A4FE359EF39C4405727BE1EF95301B1086BDD58AC72A2DE28AC46C781
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da6a066160b2803b6d61fb5fdde22aa64efe20e4de0e0b704dff059a238a5038
              • Instruction ID: 6804120a4ee5e2e294e8f2b79d3ccf613135a1a99c5e19b425f2a8ca32b506af
              • Opcode Fuzzy Hash: da6a066160b2803b6d61fb5fdde22aa64efe20e4de0e0b704dff059a238a5038
              • Instruction Fuzzy Hash: E2522771A0CA198FDBA8EF29C45567A77E1FF59300B1441BEE44EC72A2DE24EC428791
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d9c31e91dd81e1bed403474959e9fb704cc1f643746e7411aa3c2f55c67b59f
              • Instruction ID: 2d9a4b886bc353732e97aa664fad7dfcb1386cd4b1c723a7f379a3473aa22a17
              • Opcode Fuzzy Hash: 1d9c31e91dd81e1bed403474959e9fb704cc1f643746e7411aa3c2f55c67b59f
              • Instruction Fuzzy Hash: 9C41597160D7894FD71E9E78C8211B57BE5EB83220F05C2BFD186CB1A7DD2868078392

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1051 7ffb4b333fce-7ffb4b333fdb 1052 7ffb4b333fdd-7ffb4b333fe5 1051->1052 1053 7ffb4b333fe6-7ffb4b333ff7 1051->1053 1052->1053 1054 7ffb4b334002-7ffb4b334127 VirtualProtect 1053->1054 1055 7ffb4b333ff9-7ffb4b334001 1053->1055 1059 7ffb4b33412f-7ffb4b33417d 1054->1059 1060 7ffb4b334129 1054->1060 1055->1054 1060->1059
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 66983c355222292313adf1e93c49e941605b63bb85ee583e759fce9573dfb483
              • Instruction ID: b8b6f415afa2ce322a9563a4f915d2acde25e6ec795fc4ca1d054e9788d93013
              • Opcode Fuzzy Hash: 66983c355222292313adf1e93c49e941605b63bb85ee583e759fce9573dfb483
              • Instruction Fuzzy Hash: 81516F7090C74C8FDB58DFA8C845AE9BBF0FB56311F1052AED449D7291DB74A885CB81
              Memory Dump Source
              • Source File: 00000000.00000002.1563404679.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b400000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aaf2611ee1c8c8c663153afff45425fa6ec09188007fa8e7aeacb340cfc390f2
              • Instruction ID: d6a211ee711fd2e369382270bfead59b85bdf471c8873bdab2c8fad682d0e50e
              • Opcode Fuzzy Hash: aaf2611ee1c8c8c663153afff45425fa6ec09188007fa8e7aeacb340cfc390f2
              • Instruction Fuzzy Hash: 8571D5B190DBC94FEB56EF38C8655A57BF0EF56300B0941FBE449CB1A3EA28A815C351
              Memory Dump Source
              • Source File: 00000000.00000002.1563404679.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b400000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 565872ea2cde4d8ae38756da17a1d4d87a8c049f3305d2ef436b5dfd498582f7
              • Instruction ID: adf58d88908ec10d2f58fa12d2e75c134ffb04a0973502d6b51b2888b588ca80
              • Opcode Fuzzy Hash: 565872ea2cde4d8ae38756da17a1d4d87a8c049f3305d2ef436b5dfd498582f7
              • Instruction Fuzzy Hash: FB3137B190CA4E8FEF95EF28C8954B877E0FF54300B04417EE54AD75A1EE34A851C781
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID: HG?K$HG?K$HG?K$HG?K
              • API String ID: 0-4031783910
              • Opcode ID: a78055317a5e72d6162a842071c89520e78fca588364fc5bd7b55bbd2e21d145
              • Instruction ID: 7ee2fe3c49ff61b6ce5097776e345600512ba827f3ed3151efb6ddda62646af9
              • Opcode Fuzzy Hash: a78055317a5e72d6162a842071c89520e78fca588364fc5bd7b55bbd2e21d145
              • Instruction Fuzzy Hash: 2562587160CB864FD359DB39C4810A2B7E2FF95305B5486BEE4C6C72A6DE38E846C781
              Memory Dump Source
              • Source File: 00000000.00000002.1562695326.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffb4b330000_PO-SINCO-PDF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 145d596c4653af5c21f78fe3b0131271ff170d15c2cb3b4cb80091166efa88ec
              • Instruction ID: 8f3531ab2219b4a3a5499ddbc9321a5349e600d0527144d9ea5980db65f7ff43
              • Opcode Fuzzy Hash: 145d596c4653af5c21f78fe3b0131271ff170d15c2cb3b4cb80091166efa88ec
              • Instruction Fuzzy Hash: 5681957190CA8D8FDBA9EF28C845BE97BE0FF59310F00916AE84DC7252DB749985CB41

              Execution Graph

              Execution Coverage:1%
              Dynamic/Decrypted Code Coverage:5.9%
              Signature Coverage:10.8%
              Total number of Nodes:102
              Total number of Limit Nodes:11
              execution_graph 76782 42b943 76783 42b960 76782->76783 76786 58c2df0 LdrInitializeThunk 76783->76786 76784 42b988 76786->76784 76787 424703 76788 42471f 76787->76788 76789 424747 76788->76789 76790 42475b 76788->76790 76791 42c353 NtClose 76789->76791 76797 42c353 76790->76797 76794 424750 76791->76794 76793 424764 76800 42e553 RtlAllocateHeap 76793->76800 76796 42476f 76798 42c370 76797->76798 76799 42c381 NtClose 76798->76799 76799->76793 76800->76796 76806 424aa3 76810 424abc 76806->76810 76807 424b07 76814 42e433 76807->76814 76810->76807 76811 424b4a 76810->76811 76813 424b4f 76810->76813 76812 42e433 RtlFreeHeap 76811->76812 76812->76813 76817 42c6c3 76814->76817 76816 424b17 76818 42c6dd 76817->76818 76819 42c6ee RtlFreeHeap 76818->76819 76819->76816 76820 42f723 76821 42f693 76820->76821 76825 42f6f0 76821->76825 76826 42e513 76821->76826 76823 42f6cd 76824 42e433 RtlFreeHeap 76823->76824 76824->76825 76829 42c673 76826->76829 76828 42e52e 76828->76823 76830 42c690 76829->76830 76831 42c6a1 RtlAllocateHeap 76830->76831 76831->76828 76839 42f5f3 76840 42f603 76839->76840 76841 42f609 76839->76841 76842 42e513 RtlAllocateHeap 76841->76842 76843 42f62f 76842->76843 76832 413983 76836 4139a3 76832->76836 76834 413a0c 76835 413a02 76836->76834 76837 41b0f3 RtlFreeHeap LdrInitializeThunk 76836->76837 76837->76835 76844 4174b3 76846 4174d7 76844->76846 76845 4174de 76846->76845 76847 417513 LdrLoadDll 76846->76847 76848 41752a 76846->76848 76847->76848 76849 401ab3 76850 401ac0 76849->76850 76853 42fac3 76850->76853 76856 42dfe3 76853->76856 76857 42e009 76856->76857 76866 407413 76857->76866 76859 42e01f 76865 401c37 76859->76865 76869 41ade3 76859->76869 76861 42e03e 76862 42c713 ExitProcess 76861->76862 76863 42e053 76861->76863 76862->76863 76880 42c713 76863->76880 76868 407420 76866->76868 76883 416173 76866->76883 76868->76859 76870 41ae0f 76869->76870 76905 41acd3 76870->76905 76873 41ae54 76876 41ae70 76873->76876 76878 42c353 NtClose 76873->76878 76874 41ae3c 76875 41ae47 76874->76875 76877 42c353 NtClose 76874->76877 76875->76861 76876->76861 76877->76875 76879 41ae66 76878->76879 76879->76861 76881 42c72d 76880->76881 76882 42c73e ExitProcess 76881->76882 76882->76865 76885 416190 76883->76885 76884 4161a9 76884->76868 76885->76884 76890 42cdc3 76885->76890 76887 416207 76887->76884 76897 428d33 NtClose LdrInitializeThunk 76887->76897 76889 41625b 76889->76868 76891 42cddd 76890->76891 76892 42ce0c 76891->76892 76898 42b993 76891->76898 76892->76887 76895 42e433 RtlFreeHeap 76896 42ce85 76895->76896 76896->76887 76897->76889 76899 42b9b0 76898->76899 76902 58c2c0a 76899->76902 76900 42b9dc 76900->76895 76903 58c2c1f LdrInitializeThunk 76902->76903 76904 58c2c11 76902->76904 76903->76900 76904->76900 76906 41adc9 76905->76906 76907 41aced 76905->76907 76906->76873 76906->76874 76911 42ba33 76907->76911 76910 42c353 NtClose 76910->76906 76912 42ba50 76911->76912 76915 58c35c0 LdrInitializeThunk 76912->76915 76913 41adbd 76913->76910 76915->76913 76838 58c2b60 LdrInitializeThunk

              Control-flow Graph

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417525
              Memory Dump Source
              • Source File: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
              • Instruction ID: 79ab2b19ebedfb7dbac4706c66af6717613667a03eee12f3d45aa059f7d986a2
              • Opcode Fuzzy Hash: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
              • Instruction Fuzzy Hash: 5B015EB1E0020DBBDB10DAA1DC42FDEB778AB54308F4041AAE90897240F634EB598B95

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 32 42c353-42c38f call 4047e3 call 42d5b3 NtClose
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 3df8a5f7e5efef02ab47fcf92f1ff81514ca88e9a0e5e6b774cfcaf696e725d5
              • Instruction ID: 5a4bf5c8a3ca4387f99c23e0ba8eba62fd4d6aa45612fdc99be071ccfc075deb
              • Opcode Fuzzy Hash: 3df8a5f7e5efef02ab47fcf92f1ff81514ca88e9a0e5e6b774cfcaf696e725d5
              • Instruction Fuzzy Hash: 4CE04F35600214BBD520FA5ADC41F97776CDFC5754F40411AFA1867242C6B5BA018BF5

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 49 58c35c0-58c35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
              • Instruction ID: 662e5180e74ef6da28ae27ee08d1d957d2fb5cd61008ec2f4ba2ef037962122a
              • Opcode Fuzzy Hash: cb4b9bbe71f0b8a24b18c3cd3b8d8d825946d15d6df3d4bd8fa0cbc0984bd3ba
              • Instruction Fuzzy Hash: B490023670551406D10071584554706516587D0201FA5C411A5428568D87998E5569B3

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 58c2df0-58c2dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
              • Instruction ID: db67e4128848989b241cdd49e8626ff94f0a8f68c45f640e459e4881cf6d8c6d
              • Opcode Fuzzy Hash: f30365e1e9bc35a4e24ae96e359d7b203a8886acfd69e06a16fb025f22b4b847
              • Instruction Fuzzy Hash: 1090023630141417D11171584544707416987D0241FD5C412A5428558D965A8E56A532

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 47 58c2c70-58c2c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
              • Instruction ID: 867e83a4f03ce1b7ba96ec95729a0441a3c7bc64c796b462ba01e72b6fb55bc4
              • Opcode Fuzzy Hash: 72a99df36c718de746cf337525b294f2a222b5717937111247e765065ab064ad
              • Instruction Fuzzy Hash: 0490023630149806D1107158844474A416587D0301F99C411A9428658D86998D957532

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 46 58c2b60-58c2b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
              • Instruction ID: 73446c4c489d1277433f20241f6609e687b9107f13c1daa7ce8fd375b9d7429c
              • Opcode Fuzzy Hash: d63f95620425f02c5e6df26f568058e082e53ba61a51900bcc1071fb964e0f1c
              • Instruction Fuzzy Hash: B090026630241007410571584454616816A87E0201B95C021E6018590DC5298D956536

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 22 42c673-42c6b7 call 4047e3 call 42d5b3 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E294,?,?,00000000,?,0041E294,?,?,?), ref: 0042C6B2
              Memory Dump Source
              • Source File: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 11f111e3f066dcbdc7871c3756b14082c061b035b8c66be693edd449e42f2af5
              • Instruction ID: 029fd4a609003f8422588e5046f0deacd53b9f192fd75f12867985c52d6ab774
              • Opcode Fuzzy Hash: 11f111e3f066dcbdc7871c3756b14082c061b035b8c66be693edd449e42f2af5
              • Instruction Fuzzy Hash: 9DE06D72604204BBD610EE59DC41FDB77ACEFC9714F004419F908A7241C770BA118BB5

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 27 42c6c3-42c704 call 4047e3 call 42d5b3 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,029EEF38,00000007,00000000,00000004,00000000,00416D2F,000000F4), ref: 0042C6FF
              Memory Dump Source
              • Source File: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: a99e0096d90919c3b61dda58a12e7803618b49c0351b7f410112ef0713e7ce5b
              • Instruction ID: 8bc54c42ca3d988cebf4b5bdc64b9c10258c4a6ad0df05c0caeddc266b532ff1
              • Opcode Fuzzy Hash: a99e0096d90919c3b61dda58a12e7803618b49c0351b7f410112ef0713e7ce5b
              • Instruction Fuzzy Hash: 7AE06D76604304BBDA14EE59EC41FDBB7ACDFC9714F004019F908A7285D670BA10CBB4

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 37 42c713-42c74c call 4047e3 call 42d5b3 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799111466.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_ngen.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 8622beff1224670c39983e5e2e2f2f2063b1b6d6cb33b78eee5032fc12fe7a16
              • Instruction ID: 6bdb1385fd5073499b2da1b1a6746b67cf72df236e0b2f259ed83a6a9d3eb91b
              • Opcode Fuzzy Hash: 8622beff1224670c39983e5e2e2f2f2063b1b6d6cb33b78eee5032fc12fe7a16
              • Instruction Fuzzy Hash: A8E08C762002147BD620EA6AEC41F9BB76DDFC6724F40451AFA48B7281D6B5BA008BF5

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 42 58c2c0a-58c2c0f 43 58c2c1f-58c2c26 LdrInitializeThunk 42->43 44 58c2c11-58c2c18 42->44
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
              • Instruction ID: 48e7bb2212e0fce83b3dc7d7a253c086e42e857c9a45ce1a6d685fb021b1d4af
              • Opcode Fuzzy Hash: 35cd4e2740dc5fa1e9b7b1cb2cb5186cded2ebc32dc949148df334e76b4616da
              • Instruction Fuzzy Hash: E4B02B329014C0C9DA00F3204608B177E1077C0300F15C061D3034241E033CC4C0E172
              Strings
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54E2
              • corrupted critical section, xrefs: 058F54C2
              • Critical section address., xrefs: 058F5502
              • Critical section address, xrefs: 058F5425, 058F54BC, 058F5534
              • 8, xrefs: 058F52E3
              • Invalid debug info address of this critical section, xrefs: 058F54B6
              • Address of the debug info found in the active list., xrefs: 058F54AE, 058F54FA
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F540A, 058F5496, 058F5519
              • undeleted critical section in freed memory, xrefs: 058F542B
              • double initialized or corrupted critical section, xrefs: 058F5508
              • Critical section debug info address, xrefs: 058F541F, 058F552E
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 058F54CE
              • Thread is in a state in which it cannot own a critical section, xrefs: 058F5543
              • Thread identifier, xrefs: 058F553A
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
              • Instruction ID: b4b213a678036ca958917c1c1c0fe55844650c3300ed039f4dfed1d768a36faa
              • Opcode Fuzzy Hash: 83778820685a3f389a110ab20fbef56d291045a9d736291f93255c6c4dec7d15
              • Instruction Fuzzy Hash: BA816AB1A40348AFDB20CF99C945BAEBBF9BB48714F10411AEA09F7240D3B5AD40DF60
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: 9d884acd40f7fa103b846e3194645b7712717091e418bdea7e63dace952ecf0f
              • Instruction ID: 830c8f9ec133a092b3e5e93c57731baecc3d87c36fa0305997e40d6f3b0f6333
              • Opcode Fuzzy Hash: 9d884acd40f7fa103b846e3194645b7712717091e418bdea7e63dace952ecf0f
              • Instruction Fuzzy Hash: 21D1F172908329AFD722DB54C854B6BB7ECAF84B54F044929FE84E7250D770DD0487E6
              Strings
              • @, xrefs: 0587D313
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0587D146
              • @, xrefs: 0587D2AF
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0587D0CF
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0587D2C3
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 0587D196
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0587D262
              • @, xrefs: 0587D0FD
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: b9b154ca2dc177de992f70a710fdc74873d7d0cfd975fa745c174af45e9fd5fe
              • Instruction ID: 2011eb31347d4fd794275e94e89b74e1426b76fc15ee4d8bc142e237f6fd640b
              • Opcode Fuzzy Hash: b9b154ca2dc177de992f70a710fdc74873d7d0cfd975fa745c174af45e9fd5fe
              • Instruction Fuzzy Hash: EAA15771A093099FD721DE24C484B6BFBE9BF84715F00492EE999D6240E774DD08CBA3
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: d8e8f98ae6a1732d3a320358a4503623cfa8cb98677c2f47866106f58e985e4a
              • Instruction ID: 7d19520fb8222df1a3d7591ae00ab12c3af1616ea6b28a6a27f8ed6d17dfbe22
              • Opcode Fuzzy Hash: d8e8f98ae6a1732d3a320358a4503623cfa8cb98677c2f47866106f58e985e4a
              • Instruction Fuzzy Hash: D542CF312187899FC715DF29C888A2ABBE6FF84604F18496DED96CB351D734DC41CB62
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 811d26b74fb492754a126abf90095b750c1d143e95d3c7b1f4b285e9d6df45c5
              • Instruction ID: 70c59957ff8419a1fd0bd39661da8e5db640cbdeb7f5f25f96bea870f685dfcb
              • Opcode Fuzzy Hash: 811d26b74fb492754a126abf90095b750c1d143e95d3c7b1f4b285e9d6df45c5
              • Instruction Fuzzy Hash: 48C13631B08219ABDF29CB68D885BBEB7A6FF45715F084069EC02EB290DB74CC44D791
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
              • API String ID: 0-1745908468
              • Opcode ID: b5f7c77bdf0b6d6f445d2ad53c1b610f78d22cd954c310ef8e92114397b75419
              • Instruction ID: dae8f54b35f97a3c5227d698e00cfb150339309c8c827addc28e82027c46698e
              • Opcode Fuzzy Hash: b5f7c77bdf0b6d6f445d2ad53c1b610f78d22cd954c310ef8e92114397b75419
              • Instruction Fuzzy Hash: 6D912E31A04758DFCB11DFA8C446AADBBF6FF49710F18805AE846AB761DB399C81CB11
              Strings
              • apphelp.dll, xrefs: 05876496
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 058D9A2A
              • LdrpInitShimEngine, xrefs: 058D99F4, 058D9A07, 058D9A30
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 058D99ED
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 058D9A01
              • minkernel\ntdll\ldrinit.c, xrefs: 058D9A11, 058D9A3A
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
              • Instruction ID: e513551e74c31530c681fdf5f914ba96c06003ae03e2a517475f1baf4d16a725
              • Opcode Fuzzy Hash: 8c0d170bc62cc28408be8e22af9a5ea55c6feaea3e1e2cef469df84be597c0ed
              • Instruction Fuzzy Hash: 035190713187089FD725DB24D845A6BB7E9FB84644F04091AFD86DB260EA34ED04DBA3
              Strings
              • Loading import redirection DLL: '%wZ', xrefs: 058F8170
              • minkernel\ntdll\ldrredirect.c, xrefs: 058F8181, 058F81F5
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 058F81E5
              • minkernel\ntdll\ldrinit.c, xrefs: 058BC6C3
              • LdrpInitializeProcess, xrefs: 058BC6C4
              • LdrpInitializeImportRedirection, xrefs: 058F8177, 058F81EB
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
              • Instruction ID: fb2aaa9173cfd66b34efb5511528517ce9f437fc1a2b4cb0570ebae3e6817004
              • Opcode Fuzzy Hash: 7b904b074391be7a36ff9f0c448b7b5ab167feab803d1e1ccd873f7611b0f9db
              • Instruction Fuzzy Hash: 3A31D1727487059BD320EA28DC4AE6A77D9EF85B10F040958FD45EB390EA70EC04CBA3
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 058F2165
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 058F2180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 058F2178
              • RtlGetAssemblyStorageRoot, xrefs: 058F2160, 058F219A, 058F21BA
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 058F21BF
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 058F219F
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
              • Instruction ID: 14fbc45d44fdc33d4bbaebde436651cce5defba2745b9097faed61d3f3ab258c
              • Opcode Fuzzy Hash: c5f2cad279fd16d0b199651aa67425f47ab7ee20945ee5a86d179a96ae72be9b
              • Instruction Fuzzy Hash: 3531143AB402147AF721AA988C45F9E77ADEB99A44F054059FE06E7340D2B0AE41C7E9
              Strings
              • RTL: Re-Waiting, xrefs: 058F031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 058F02E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 058F02BD
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
              • Instruction ID: b322f39fcb23e464dbb4a3cedfe95021225df058b65b81e5adaad892ea21337e
              • Opcode Fuzzy Hash: 3f5f84fc264807b6126f0fd7e440de0c8aaa0fce98699b8d215fae9f9b97338c
              • Instruction Fuzzy Hash: 5FE19D35608745DFE725CF28C888B2AB7E1BB88314F140A59EAA6CB2D1D774ED44CB52
              Strings
              • WindowsExcludedProcs, xrefs: 058A522A
              • Kernel-MUI-Language-Disallowed, xrefs: 058A5352
              • Kernel-MUI-Number-Allowed, xrefs: 058A5247
              • Kernel-MUI-Language-Allowed, xrefs: 058A527B
              • Kernel-MUI-Language-SKU, xrefs: 058A542B
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 12f736216f5a7f62cf6d9015dccb1613976f03426ebcfffd875214eae642a300
              • Instruction ID: d58dcfa7b0e92564dbd0a280e1c932df94956aedf31579066ad76bdac120c51f
              • Opcode Fuzzy Hash: 12f736216f5a7f62cf6d9015dccb1613976f03426ebcfffd875214eae642a300
              • Instruction Fuzzy Hash: D3F14B72E04618EFDF15DFA8C9849EEBBB9FF48610F15405AE905F7210E7749E418BA0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: 4e0999937dc38dd14897c8ad9e43a78910b19858fc10d39dbcb449c5e5a9c74c
              • Instruction ID: 61844fe6741c7258b6e23121081d354becf8579339a1a23f2e8de71500c4b7e9
              • Opcode Fuzzy Hash: 4e0999937dc38dd14897c8ad9e43a78910b19858fc10d39dbcb449c5e5a9c74c
              • Instruction Fuzzy Hash: 1851F172A093499FEB14DF68C4867ADBBF2BF48318F184459DD02EB681DB74AD41CB80
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
              • API String ID: 0-3061284088
              • Opcode ID: fa012cfade89304fffd987dd0334f15000d93f60e52cab045e84aa7b5c3d1992
              • Instruction ID: 2c1318a353a94db99eb0ad9ef7211199ee8b1e03fab557e119a7064bca7a62a6
              • Opcode Fuzzy Hash: fa012cfade89304fffd987dd0334f15000d93f60e52cab045e84aa7b5c3d1992
              • Instruction Fuzzy Hash: BC012832258248DED229932CE80EF62BBD5EF42A71F2D404AEC15C7651EAA8DC81C671
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: cf6c08cec77bc571373124c3247976ca5e0883bb811679a6f85e690217908afb
              • Instruction ID: 8328f320c1c9c7a58dc147f3d6585a49da3590b3d233a7737f03bf06059e0f4c
              • Opcode Fuzzy Hash: cf6c08cec77bc571373124c3247976ca5e0883bb811679a6f85e690217908afb
              • Instruction Fuzzy Hash: 61137E70A0465A9FDF29CF68C494BA9BBB2FF46304F188159D84AEB381D734AD45CF90
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: 82cf241262c2a9eb8e0ab67d9a6b3974a7f0b08a1483bc278989973026af67c9
              • Instruction ID: e36f97b1acb392a61f28fa8eaee121be014e68ad4bd4f3d7d3f75ec17fdca134
              • Opcode Fuzzy Hash: 82cf241262c2a9eb8e0ab67d9a6b3974a7f0b08a1483bc278989973026af67c9
              • Instruction Fuzzy Hash: 9C923971A09329CFEB24DB18C849FA9B7B6BF45314F0981EAE949E7251D7309E80CF51
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
              • Instruction ID: 41e3c9a496303dd91ab2f14940609462b683ed7eeb5c69b82c237dd926938b5f
              • Opcode Fuzzy Hash: 6edfef4920c00a8cdb9a6b750caded4081fa2e75abd585ac60f9834c67ea2c00
              • Instruction Fuzzy Hash: 76C17A742083868BC719EF58C044B7AB7E5FB85728F00486AFD96DB290E738DD49CB52
              Strings
              • @, xrefs: 058B8591
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 058B855E
              • LdrpInitializeProcess, xrefs: 058B8422
              • minkernel\ntdll\ldrinit.c, xrefs: 058B8421
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
              • Instruction ID: 437f56d25304c5f8531c765425f7eb17fdc964d3ce16d937052b24d70aba130c
              • Opcode Fuzzy Hash: 09c09d339da255e18607adfc83de6766571c7aafa8971132bf94d44c9e00eb57
              • Instruction Fuzzy Hash: 62915E71608344AFE721EB24C855FABBAEDBB84654F40092EFE85D2250E774DE44CB53
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 058F21DE
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 058F21D9, 058F22B1
              • .Local, xrefs: 058B28D8
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 058F22B6
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
              • Instruction ID: baf9f1cd9be4ce2f5cc8b9248c15e4e7b4ffccba2843a908e470069465bb1ed6
              • Opcode Fuzzy Hash: 5a1371adaa2457b4f44d76a1a707945f4f8f422c0b06a747ddccb154d383c690
              • Instruction Fuzzy Hash: 0BA17A39A042299BDB24DF64CC88BA9B3B5BF58314F1441EADD0AEB351D7709E81CF90
              Strings
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 058E0FE5
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 058E106B
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 058E1028
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 058E10AE
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
              • Instruction ID: 7f13dc2fa0203f694a9e6b573a11510648a113a11da0e830f9351fd7bb873374
              • Opcode Fuzzy Hash: 58301a19e96f21c1e307b41b526545f404e2f42f781ec25e3f3a179cae4b9669
              • Instruction Fuzzy Hash: D87190B16043049FCB20EF19C889FA77BA9EF55754F440468FD49CB286E774D988CB92
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
              • API String ID: 0-2586055223
              • Opcode ID: ecb2515b1c01d8b4dcd28edb3ad794bc9cd5dc832519dae701767fc17f2fab38
              • Instruction ID: dea35cbeca7a13cac106be856672456266614c0ec7662a8d4e3f2699d0fc5b2a
              • Opcode Fuzzy Hash: ecb2515b1c01d8b4dcd28edb3ad794bc9cd5dc832519dae701767fc17f2fab38
              • Instruction Fuzzy Hash: 2861B0722047889FD721DB28C849F76B7EAFF80754F180469EE95CB291D634ED41CB62
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 8b4adaf90e3ad42bb354eb06b8e36a5fad94eb6d9ee5cfba6d31d9c21ab6ef35
              • Instruction ID: 9e53d60138c246d355dc009af5c122aa954aaaa79c827891783dabea5c93932e
              • Opcode Fuzzy Hash: 8b4adaf90e3ad42bb354eb06b8e36a5fad94eb6d9ee5cfba6d31d9c21ab6ef35
              • Instruction Fuzzy Hash: 13310235214214EFD710DB98CC8AFA6B7EAFF08624F190055FC52CB2A0EA75EC40EB65
              Strings
              • apphelp.dll, xrefs: 058A2462
              • LdrpDynamicShimModule, xrefs: 058EA998
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 058EA992
              • minkernel\ntdll\ldrinit.c, xrefs: 058EA9A2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
              • Instruction ID: 419111e8b10011ff4ab09645de20adaca537c1c6c41e9dd75f08db7ed342eeef
              • Opcode Fuzzy Hash: ffd64aec821d8d6c5af76c14a8b1bfc3d0c292ea888f063cc2064e78ea868394
              • Instruction Fuzzy Hash: 26311332714305ABDB24AF68C84AEBA7BB6FB85B04F16005AFC11E7240DB745C41D780
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: 2cb6e8d763ae5f8e87b5e3ce43821b7fed24ea664c0f79326b254a43d6d7d9fa
              • Instruction ID: 94b18d9cad8e77a0c7e6a361a62122c2cee4d961dc886e2320ab1fb4cea54057
              • Opcode Fuzzy Hash: 2cb6e8d763ae5f8e87b5e3ce43821b7fed24ea664c0f79326b254a43d6d7d9fa
              • Instruction Fuzzy Hash: 88319E36700208EFCB11EB59C888FAAB7F9EF45621F154055EC15E7290EA78ED40CA71
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: $ $0
              • API String ID: 0-3352262554
              • Opcode ID: e089a313af56e2013307f48ffa3d5c4c9474d86418b0108a0a34cf1e932835d9
              • Instruction ID: cbb1821fd0a3a2ebfcbbb4a1aa69b344721f5d682b7913a91196e8cf5f30ecc9
              • Opcode Fuzzy Hash: e089a313af56e2013307f48ffa3d5c4c9474d86418b0108a0a34cf1e932835d9
              • Instruction Fuzzy Hash: 303213B16083918FD720CF68C584B6BBBE9BF88344F04492EF59987354D775E988CB52
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
              • Instruction ID: a3dc480aa93b94d5b7ae709c8071d66c0e29ff847bf60452c704ecc697e23799
              • Opcode Fuzzy Hash: e9e66db69cce554cd70c05da6ef6538623771c21ed88c13cf97a9d8dcc474edc
              • Instruction Fuzzy Hash: 2AF17A3470460AEFDB19CF68C898F6AB7B6FB45308F184169E816DB381D734AD81CB91
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05881728
              • HEAP: , xrefs: 05881596
              • HEAP[%wZ]: , xrefs: 05881712
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: ef2e12f5ff85967fdd8f46a3c3743c944c2d8188c3211517dbefdce275115fe3
              • Instruction ID: d01170e7768712d8a414a1410596dbc737e7dcbe2547543526da2b8d9ff2b3cb
              • Opcode Fuzzy Hash: ef2e12f5ff85967fdd8f46a3c3743c944c2d8188c3211517dbefdce275115fe3
              • Instruction Fuzzy Hash: BEE1CD30A046459BCB29DF68C499BBABBE2FF44304F18845DED96CB245EB34EC46CB50
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
              • API String ID: 0-1145731471
              • Opcode ID: 1877a4b3c72fc7d41f12b858fca980a0b593ce0beac20de764b56477e44a0e70
              • Instruction ID: e4fe2b78f3bc3f2af7ac5f4571b9bd88e68fac9ea1ba88a4d9d0724b959632f7
              • Opcode Fuzzy Hash: 1877a4b3c72fc7d41f12b858fca980a0b593ce0beac20de764b56477e44a0e70
              • Instruction Fuzzy Hash: DDB18A31A087589BDB25EF69C981BADB7B6FF85314F154829EC56EB280DB30EC40CB40
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
              • API String ID: 0-2391371766
              • Opcode ID: 717a9299a83e8f13b3677eab1b49dd41dee69956e14f5161bff0653b8a642817
              • Instruction ID: 733509fe01bb649dc56d49a27f2230e239f006bef154a55795b2dc0d2a9a2d9b
              • Opcode Fuzzy Hash: 717a9299a83e8f13b3677eab1b49dd41dee69956e14f5161bff0653b8a642817
              • Instruction Fuzzy Hash: A9B19B72618745AFE721DE58C885F6BBBE8BB44710F041C2AFA51DB290DB74EC44CB92
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
              • Instruction ID: fe50d229da4c9ec7f796b3a250aeb113bdceba130484834d8cc4c7aeacb05e25
              • Opcode Fuzzy Hash: 6d9dff4e75064a7b0e117c183038834b1f740bb0a9b292b164f2aa0589f37373
              • Instruction Fuzzy Hash: ADA169759116289BDB219F68CC88BAAB7B9FF44710F0001EAED09E7250DB359EC4CF50
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
              • API String ID: 0-318774311
              • Opcode ID: 21ba608a087448d2198848f101ca695651379a2628fa1dc9ff0a623c1e3dcc12
              • Instruction ID: 19980bf9ff756ee3cc2def5b38cb0fdd7e63e3bba2addb2d1370425e464bd35a
              • Opcode Fuzzy Hash: 21ba608a087448d2198848f101ca695651379a2628fa1dc9ff0a623c1e3dcc12
              • Instruction Fuzzy Hash: 12819971608358AFE721DB18C844B2ABBF8FF84750F080D69BD86DB290DB34D9048B96
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
              • API String ID: 0-373624363
              • Opcode ID: 8853bba234c27da0863f61ad8025ad9e716b35b56e477c000a85f06528e567df
              • Instruction ID: fa905ab0c89db181ec31544c0aa6e6766b567e79eb8ae041a724dbdf537019c1
              • Opcode Fuzzy Hash: 8853bba234c27da0863f61ad8025ad9e716b35b56e477c000a85f06528e567df
              • Instruction Fuzzy Hash: 5491BB71A08219CBDB21DF98C940BBE77B1FF82325F144595EC52EB290D778AE45CB90
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: 281a192985e30a1a8d52443bf1fa86aaa8ef4140730de3c00ad8a0923a2d0bea
              • Instruction ID: f99fae41c7331def090e633290c6a9a4f5899d2a1214cf588db622ddf107f1c9
              • Opcode Fuzzy Hash: 281a192985e30a1a8d52443bf1fa86aaa8ef4140730de3c00ad8a0923a2d0bea
              • Instruction Fuzzy Hash: 3B7190706093059FEB14DF24C584AABBBEABF88618F10491DEEA6C7350D771DD05CB52
              Strings
              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0595B82A
              • GlobalizationUserSettings, xrefs: 0595B834
              • TargetNtPath, xrefs: 0595B82F
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
              • API String ID: 0-505981995
              • Opcode ID: 7ba8fa74699c3d2cc436b43e8de9f629e5565c5e5ba545a72a31b082377dbea4
              • Instruction ID: 51eba58bda7a4c931341dc46d9894eee1547f16e7d16408759cc182ac80948c5
              • Opcode Fuzzy Hash: 7ba8fa74699c3d2cc436b43e8de9f629e5565c5e5ba545a72a31b082377dbea4
              • Instruction Fuzzy Hash: A5617F32A4162CABDB21DF54CC98BE9B7B9BF04764F0501E5E909E7250DB749E80CF90
              Strings
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 058DE6C6
              • HEAP: , xrefs: 058DE6B3
              • HEAP[%wZ]: , xrefs: 058DE6A6
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: ab19cbf40f4bb533a0412715ae28bea4c7b617f019f0de03b74c14a5cffd4023
              • Instruction ID: 2c25fd5174744a79941b1569edc6547caa11f30bbe383788dc31db4d06061e3d
              • Opcode Fuzzy Hash: ab19cbf40f4bb533a0412715ae28bea4c7b617f019f0de03b74c14a5cffd4023
              • Instruction Fuzzy Hash: DC51D231604648EFD712DBA8C899F6ABBF9BF05344F0400A4EE41CB692D774ED40CB61
              Strings
              • LdrpCompleteMapModule, xrefs: 058EA590
              • minkernel\ntdll\ldrmap.c, xrefs: 058EA59A
              • Could not validate the crypto signature for DLL %wZ, xrefs: 058EA589
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1676968949
              • Opcode ID: 24ae226537d3a864298d04abee560a6050606f9d3f0433c4194a7e93b1a99b72
              • Instruction ID: 6214dce1c0e789fdad9d11b7a089680dad38b0e1803eb1ac1008772307c70d47
              • Opcode Fuzzy Hash: 24ae226537d3a864298d04abee560a6050606f9d3f0433c4194a7e93b1a99b72
              • Instruction Fuzzy Hash: EA51F1727087449BEB25CE58C94CB2677F9BB81B28F180664ED52DB6E1D774EC01C741
              Strings
              • LdrpInitializePerUserWindowsDirectory, xrefs: 058F82DE
              • Failed to reallocate the system dirs string !, xrefs: 058F82D7
              • minkernel\ntdll\ldrinit.c, xrefs: 058F82E8
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
              • Instruction ID: 9af11115724d5fcbbf04e9af59175646d57475e88c9e4078bef265e568e0a82a
              • Opcode Fuzzy Hash: 35ac46c6d3b845b12ebd4e0d8ef8e4132a2c7e0dd9fec565cdba04d2346aa4af
              • Instruction Fuzzy Hash: 6F41D371659308EBD720EB68D849F9B7BE8FF48650F04492AFD45D7250EB74EC008B96
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
              • API String ID: 0-1151232445
              • Opcode ID: 1215e480e23d40b583757539204f927315136ed1b0e85d90146b9ba35e45aeed
              • Instruction ID: 2c9b08fd385f3329c609c5354e526391025d51ad123960d3261e44da323ad4a3
              • Opcode Fuzzy Hash: 1215e480e23d40b583757539204f927315136ed1b0e85d90146b9ba35e45aeed
              • Instruction Fuzzy Hash: 0541E6B03042489FDF29CA6CC484F79F7E2EF01258F2844A9DC46CB25ADA74DC86C765
              Strings
              • minkernel\ntdll\ldrtls.c, xrefs: 058F1B4A
              • LdrpAllocateTls, xrefs: 058F1B40
              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 058F1B39
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
              • API String ID: 0-4274184382
              • Opcode ID: bcd9855ac5166e0b150c2653f72ce0bbee8ccac6db2510b5499e29848b3a2526
              • Instruction ID: ddfc340a369be3e879d4e79b0341c493a21e9cf32027e1c55ad75ae50084d751
              • Opcode Fuzzy Hash: bcd9855ac5166e0b150c2653f72ce0bbee8ccac6db2510b5499e29848b3a2526
              • Instruction Fuzzy Hash: AA4137B5A04608AFDB15DFA8C849AAEBBF5FF48604F148519E806E7354DB75AC00CBA4
              Strings
              • PreferredUILanguages, xrefs: 0593C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0593C1C5
              • @, xrefs: 0593C1F1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
              • Instruction ID: 17bd66a61b1da638eb65b9feeb7be958575eb33e84c99cf9df0f9ed6be771ffc
              • Opcode Fuzzy Hash: 4ac5ab6c96f1e9bb25484e849a18acdee0b68d968f3f4477f3c00991e324b301
              • Instruction Fuzzy Hash: 3C413872A00619EBDF11DAD8C886BEEBBBDAF04700F14406AE906F7280D774DE448B91
              Strings
              • LdrpCheckRedirection, xrefs: 0590488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05904888
              • minkernel\ntdll\ldrredirect.c, xrefs: 05904899
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
              • Instruction ID: c1aee1d1b81a7d274e1db3723e00781c1c2193631050f0803697b754bf4617cf
              • Opcode Fuzzy Hash: d2e5c9eb8705f088f4b1ef5dffc7dd0b0fac0735f48873c3f60b2247cf946758
              • Instruction Fuzzy Hash: CC41AE32A086509FCF21CE68D840A267BEABF89A50F091D69EE4DD7291D734E800CB91
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
              • Instruction ID: 844f20726f169e3a493b516a7aac5bbf3041959a838883553dcd181327588042
              • Opcode Fuzzy Hash: 812be6cedb71086ad5c0136932f9fbd4d672aa0e33cd84c21db4569e97af5c53
              • Instruction Fuzzy Hash: 7C41F232A0436C8BEF25DB98C944BADB7B9FF99340F240859DD06EF781DA348941CB55
              Strings
              • RtlCreateActivationContext, xrefs: 058F29F9
              • SXS: %s() passed the empty activation context data, xrefs: 058F29FE
              • Actx , xrefs: 058B33AC
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: 194de0cb040a763714b6c92f303a63ba1786c5ae6b8d884af5caac77913455bd
              • Instruction ID: c4a292ac3714b9f8e2b5b77c0debbe8a1f06d80b54a2b07559a22875f56eebd9
              • Opcode Fuzzy Hash: 194de0cb040a763714b6c92f303a63ba1786c5ae6b8d884af5caac77913455bd
              • Instruction Fuzzy Hash: 433123322007059FEB26DE58C884FAA77A9BB48724F154869ED06DF381CBB4EC41C7A1
              Strings
              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0590B632
              • @, xrefs: 0590B670
              • GlobalFlag, xrefs: 0590B68F
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
              • API String ID: 0-4192008846
              • Opcode ID: 2562f38a7c870ba50db633d34a8199d534d5839dd2e48f9519f2f34aa4a21262
              • Instruction ID: 335dbd11ac871e90c7eceb6e2d404e544243e12d837684b252e606bd422f5c20
              • Opcode Fuzzy Hash: 2562f38a7c870ba50db633d34a8199d534d5839dd2e48f9519f2f34aa4a21262
              • Instruction Fuzzy Hash: F83141B1A00219AFDB11EF94DC84AEEBBBDEF44754F140869EA05E7290D775DE00CBA4
              Strings
              • minkernel\ntdll\ldrtls.c, xrefs: 058F1A51
              • DLL "%wZ" has TLS information at %p, xrefs: 058F1A40
              • LdrpInitializeTls, xrefs: 058F1A47
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
              • API String ID: 0-931879808
              • Opcode ID: 3a2b79ddca934ab24733097b5d7f264e1ee5319ec9740706b1b7d806a40d2828
              • Instruction ID: 632452bfd6da0c5a1bb66e04d18222a78ecaf6ff5bd31c62dbe8e53080574a8d
              • Opcode Fuzzy Hash: 3a2b79ddca934ab24733097b5d7f264e1ee5319ec9740706b1b7d806a40d2828
              • Instruction Fuzzy Hash: 9F31C671B14308ABFB109B58C89EFAA76BDFB46754F05011AFD05EB290DBB0AD00C790
              Strings
              • Process initialization failed with status 0x%08lx, xrefs: 059020F3
              • LdrpInitializationFailure, xrefs: 059020FA
              • minkernel\ntdll\ldrinit.c, xrefs: 05902104
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
              • Instruction ID: 9f0e6e4d10bc5a9fce090ead9893f46305ffc189a4cf089adf85c9f3caec8fec
              • Opcode Fuzzy Hash: df7b40ae5c25b7cec68072231f485d8e31b1dcb1a17578a9b9d912589ea6aeee
              • Instruction Fuzzy Hash: 74F0F434640308AFDB14E60CCD4BFA93BACEB40A54F440495FA00AB281D6B4A900DA91
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: e11e92f48cc6b2f8199f6ae3daceaec14bb5565798f10c8e45802ecd97c0b79a
              • Instruction ID: 767513f7e278b4cf63254123e1ea12a76e5f5a4870eb012f607491de0be4160b
              • Opcode Fuzzy Hash: e11e92f48cc6b2f8199f6ae3daceaec14bb5565798f10c8e45802ecd97c0b79a
              • Instruction Fuzzy Hash: 07713971A002499FDF05DFA8C998BAEB7F8BF48704F144465E905EB251EA34ED01CBA1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
              • Instruction ID: 58d77152bb2309fbcea8365aa13916cb22c2509e9c1b8f81a8143c3560405e48
              • Opcode Fuzzy Hash: 6db1e33e61e60442d77dffe70bd5044f8aefe0c04162db9ba64b48e4cccaed4f
              • Instruction Fuzzy Hash: 3A614A71E143089FDB64DFA89845BAEBBB9FB48704F14406DEA49EB261D731ED40CB50
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: $$$
              • API String ID: 0-233714265
              • Opcode ID: 233d49d32a852d145fe3533b01ffe7ae75855456fffae08ab9b56978dd23e372
              • Instruction ID: a27fae7d620a0c3be86e3186e4048fc29f7707faa2d3d0cb5e9d07e34d82c9c1
              • Opcode Fuzzy Hash: 233d49d32a852d145fe3533b01ffe7ae75855456fffae08ab9b56978dd23e372
              • Instruction Fuzzy Hash: 8E61E271A0474ADBDF29DF68C585BACB7B2FF44308F184029DA15EB240DB74AD81CB81
              Strings
              • kLsE, xrefs: 05880540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0588063D
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
              • Instruction ID: c4f8d9e4760b3054c8f4f02e782565a1cdea48fccaeeda1bf3bd4d633afe79e0
              • Opcode Fuzzy Hash: f3f993060b1703c30fece8c9b242bf73e05f3b18f450a5f70c4dd16c76eeb897
              • Instruction Fuzzy Hash: FB516B71604746CBC724EF69C548AB7B7E5FF84304F04483EE99AC7240E7749949CBA2
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
              • API String ID: 0-118005554
              • Opcode ID: 9a24d410b88a51a33a1b021fefaee279f90ae88bf59f6240cd0db059288bfec9
              • Instruction ID: 6241b984c54cbcf2b11cabf1f654a0d6f2ff84c648a6a8f9e3e66dd04b29f800
              • Opcode Fuzzy Hash: 9a24d410b88a51a33a1b021fefaee279f90ae88bf59f6240cd0db059288bfec9
              • Instruction Fuzzy Hash: 55319C322087599BD311DB28D859B2AB7F8FF84790F080C69FC95CB390EA34D905CB96
              Strings
              • RtlpInitializeAssemblyStorageMap, xrefs: 058F2A90
              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 058F2A95
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
              • API String ID: 0-2653619699
              • Opcode ID: b3a80d5cc4173623ab83db792929040cfba44cd95ac5d8ea59ff98503c169420
              • Instruction ID: 5fd0e154fede7bce62095538717911170ffa68634bc81cf6e3ffdd6a6c4b7825
              • Opcode Fuzzy Hash: b3a80d5cc4173623ab83db792929040cfba44cd95ac5d8ea59ff98503c169420
              • Instruction Fuzzy Hash: 75112C71704204BBFB36CA4C8D41FAF76ADEB94B54F1880297E05DB344D6B5CD0083A1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
              • Instruction ID: 202f51158c869a75c14b9cb57a58bf9cd9d3cf269ff73c2ba7ae5311dc597761
              • Opcode Fuzzy Hash: 94eebf268af24d1549aac170d8ac72a92997bdacb8f1495755db70f85375305b
              • Instruction Fuzzy Hash: 1601F4B2254704AFE311DF18CD4AF667BE8E755B25F008939B948C7290EB78ED04CB4A
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
              • Instruction ID: 2f29709f1d34cb7c5361b266f178d8d92e7e56b8802182451c9a18992150ca7e
              • Opcode Fuzzy Hash: 14120ca3f09c9fbc6425cd049047efbee926fb129655eeb2698358cbfef7545b
              • Instruction Fuzzy Hash: 2D824875E052188BDB24EFA9C984BBDB7B2FF48314F148169EC5AEB294D730AD41CB50
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 558dfa33673e4ff0fa5c287c480c9e262b53a0503f52b032bcfbb8b4dbe3e7c3
              • Instruction ID: 2b5deef81f64bc99e1bf22d547b9f37baa25cc7681dd204ba9e39cfaace8e7e3
              • Opcode Fuzzy Hash: 558dfa33673e4ff0fa5c287c480c9e262b53a0503f52b032bcfbb8b4dbe3e7c3
              • Instruction Fuzzy Hash: 73412AB4D042889FDB24CFA9C881AEEBBF8FB49300F50456EE959E7211DB709940DF60
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
              • Instruction ID: 0c7539c9bf756afad445bfe8ca7fcd496506b45a00e2ecf3b95d8ca6125f31d7
              • Opcode Fuzzy Hash: 67d5e6b0df7fcb79d83b6997e9453b0859775a7378a0254b181acbe4552a91f9
              • Instruction Fuzzy Hash: 08716C75E0421ADFDF28CF9AD591AADBBB2BF48700F14822EE906E7240E7719D41CB50
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction ID: e177bf20b623e2741eb03566f47a2e78cfd3735510c5c0ebf768aeeddb09b2dd
              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction Fuzzy Hash: 59615775D04219ABDB21EFA9C845BBEBBB9FF84714F144169EC12E7290D7349E00CBA0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction ID: defde22f4a09a1641353f2359ca41ddc89a3651f7b15e63b1e52c517fcb891de
              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction Fuzzy Hash: FB519D72604705AFDB219F58C844F6AB7E8FB84B50F040929B991D7290EB74EE44CB92
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
              • Instruction ID: a77cb690bcbdcb5f1748082de172766898c6278f2df3340e1e7ecc6f3baf5c99
              • Opcode Fuzzy Hash: fda04fec9c1ba5cf0a4befc946c5dec90551e4e0b85341a4ae984f079e40bc1f
              • Instruction Fuzzy Hash: 47418076609341ABDB29DA78C884B6BBBECAF88718F48092DFD85D7140E674DD04C793
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
              • Instruction ID: 3e76056e52171630d3d2f01c3c75da6b01a0f13b2465d88c7715a1076b6e7645
              • Opcode Fuzzy Hash: 26f8d04d0d34fe9ba55d8b218155a381e7a585507062847ebccd5c8907907744
              • Instruction Fuzzy Hash: D24161B1E1462CAADB219A54DC85FDEB77CAB48714F0045E5EB08EB140DB309F898FA5
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: verifier.dll
              • API String ID: 0-3265496382
              • Opcode ID: 187baa2efa1e7e5935d0cb85f6c5ac4ad6c32a263a2652e397cb6d6afb0bef30
              • Instruction ID: 27f08a9a6eeb2b1e1039080ae7edb2b1ac0156687509f1534e419e3eb50a99de
              • Opcode Fuzzy Hash: 187baa2efa1e7e5935d0cb85f6c5ac4ad6c32a263a2652e397cb6d6afb0bef30
              • Instruction Fuzzy Hash: 1E31A071B143019FDB249F289851B36B7E9FB48710F55983AED49DF3C2EA358C808790
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: kLsE
              • API String ID: 0-3058123920
              • Opcode ID: 66526cf5555f24416cc53a04f7ea6d44661a0a39febdd2c53da1da8966b9a576
              • Instruction ID: ea87a77581e3e9f11a1cb782ce8afc4f82a1df6846bed043eda7bf71882e8e74
              • Opcode Fuzzy Hash: 66526cf5555f24416cc53a04f7ea6d44661a0a39febdd2c53da1da8966b9a576
              • Instruction Fuzzy Hash: 96417C712297688BE720EBA5E94EB793F98FB80B64F14011EFC51DA1C6CF741885C7A1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction ID: e32e3a48d2b57b673c06bd8b4156bebc9de7cbd4bdb8830aedb099d5fbcf2327
              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction Fuzzy Hash: B8414975A0061AABEF25DF48C490ABEB7B9FB84605F00405AED46E7350DB749E41CBE1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Flst
              • API String ID: 0-2374792617
              • Opcode ID: 92385dd160a3876b3ed04a2567c5dd650889cf08a4e8c44c8cd128a686ee12ef
              • Instruction ID: 600ef9de3a30b2295da287e44d88ed8b2db3424fe575c65ffa0f28f3224876ab
              • Opcode Fuzzy Hash: 92385dd160a3876b3ed04a2567c5dd650889cf08a4e8c44c8cd128a686ee12ef
              • Instruction Fuzzy Hash: 044198B5209301DFE714CF18C480A66FBE9FB49714F14856EE85ACB241EB71DD42CB96
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: L4QwL4Qw
              • API String ID: 0-1417497668
              • Opcode ID: f5aa652ae914cdf120de8eac5da4ca859bd555e00ffeae1dcaa9662e11f4da39
              • Instruction ID: 48e2119fda3cd70d0692d13ad422a5eada004e3d798e5ab48da553f516028aa8
              • Opcode Fuzzy Hash: f5aa652ae914cdf120de8eac5da4ca859bd555e00ffeae1dcaa9662e11f4da39
              • Instruction Fuzzy Hash: CE21D076A04B1CABC7229F18C804B1ABBF5FB84B94F160469ED55DB350DB30EC00CB91
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 6402f4b197569be178c6228e744ae77b40f941c35f58971756fdbf1bf9bd6884
              • Instruction ID: 73872616c56dc1ca8ed8d146c3ca09c07431cecb420e5d16f39d94cc53c185c3
              • Opcode Fuzzy Hash: 6402f4b197569be178c6228e744ae77b40f941c35f58971756fdbf1bf9bd6884
              • Instruction Fuzzy Hash: 8911B634308606ABDB24B91D885467677D7FB81228F34853AEC92CF391E675EC418381
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 022b37a781a982ad62e3b6f4bc9e20c67d877bfc92193a19cd4f6362790835cd
              • Instruction ID: 6ec01f384d5ef212575b588916ae8ef7a4279bfafbc05ce3010851a6739b5241
              • Opcode Fuzzy Hash: 022b37a781a982ad62e3b6f4bc9e20c67d877bfc92193a19cd4f6362790835cd
              • Instruction Fuzzy Hash: D7426B71A046169FDB19CF59C490ABEF7F2FF89214B188569D952EB340DB34EC42CBA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
              • Instruction ID: 06c0d69753d0019b21f9016ad132c36dc488a5a20fae2632022241e182e494c0
              • Opcode Fuzzy Hash: 72860677d3f41cb2f0ca32f60f7ea3e5634f2713e203d47f48a48350771fa26b
              • Instruction Fuzzy Hash: 9C22C1726086718FDB24CF29C454776B7F6BF44300F08885AE8878F68AD7B5E492DB64
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd5c846078c1c6b21ac381efe9ceca7e332f359a1bd0cefd4f60f0aa2ed6d506
              • Instruction ID: 6f5e5bd6bf6f7c61e6e99496cecf22361fb7705b8fb26385653147206c28abf9
              • Opcode Fuzzy Hash: fd5c846078c1c6b21ac381efe9ceca7e332f359a1bd0cefd4f60f0aa2ed6d506
              • Instruction Fuzzy Hash: 2F227C35B042168BCB19CF58C490EBAB7B6BF89314B28456DD856DB344EB34ED82DF90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
              • Instruction ID: 77632206d046346d9dfde346b3d5d190977128fcb7fc72bda27a197547eb0020
              • Opcode Fuzzy Hash: 5334b2aa7065f42cdf4cb6f9ce68d8bafd1e1e10ac76ac383c4e4411004fc527
              • Instruction Fuzzy Hash: 81E15B716083418FC714EF29C494A6ABBE1FF99304F058A6DE899CB351EB31ED05CB92
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
              • Instruction ID: d47ef40f3f4b89a136edd848917e1e6f638247a6e44fc773ed8160568b151063
              • Opcode Fuzzy Hash: ea72f7dd34294a147b7e8c78f1d059410e687082f8e76ddae83b1e422021b31f
              • Instruction Fuzzy Hash: 0AD1B171A0020E9BCB14DF69C899ABEB3E6FF44248F058669ED56DB280E730DD40CF61
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33f984f92fd4772ed2cf9a50f734d880ee0f3aa66a8a736cf1992f3f4966c1e6
              • Instruction ID: 74826b9f1262fd4b9afe665c5a82540984f7ab3da6bfacd01e549445aed59d37
              • Opcode Fuzzy Hash: 33f984f92fd4772ed2cf9a50f734d880ee0f3aa66a8a736cf1992f3f4966c1e6
              • Instruction Fuzzy Hash: 36C19E71A0520A9BDF28EF58C845BBAB7B6FF85314F188269DC15EB290D770ED41CB80
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4b4d81e17e726c7b36bf41340e5367f4dcf93aba9abb02372e4d988812cb7d4
              • Instruction ID: 3c7ed392e6a47ffe59342b06c830905558e001f7e46993960842bfb944fa97ee
              • Opcode Fuzzy Hash: c4b4d81e17e726c7b36bf41340e5367f4dcf93aba9abb02372e4d988812cb7d4
              • Instruction Fuzzy Hash: C9C1C272A052598BCF2ECF18C494B79B7A2FB84714F1D4159EE42DB2A1EB349D41C7A0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: e77964ead19e9d7849b5b7cdc4203a4db4ac2ff33c61461900893301a5733d0c
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: E5B1E231704649EFDF19CBA8C858BBEB7B6AF85304F184154E956D7291DB30ED41CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c82ed62dd574f1a520473f7c183e81a6e01652f08c19c339abdf8ae28613a497
              • Instruction ID: 4f3fd4bec89281b1dc834521b93099570714ae4d9d0300913c6ed7e76aaea6e3
              • Opcode Fuzzy Hash: c82ed62dd574f1a520473f7c183e81a6e01652f08c19c339abdf8ae28613a497
              • Instruction Fuzzy Hash: 16A15A71A04205AFEB169F68CC45FAE7BB9AF46750F054098FE01EB2A0DB75DC018BA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aec80ab534035c04964afdbf59d5fa70e6bec05ec1cd857c2c482c96412cc620
              • Instruction ID: 5c06a095e256f3bbf25ec168fc0d8c98c6ec8607a423ba005823a2b7290df0df
              • Opcode Fuzzy Hash: aec80ab534035c04964afdbf59d5fa70e6bec05ec1cd857c2c482c96412cc620
              • Instruction Fuzzy Hash: 4DC124752083418FD764DF19C498BAAB7E5FF88304F44496DE98ADB290E774E908CF92
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
              • Instruction ID: 0d809a78e0061ab5f1ee7e24e866b8448e1dc7535e253175a6a293d09efbdf9d
              • Opcode Fuzzy Hash: 709c8af7a8c887759c418f090a5765a5c8b26fb4dfebb4c2aa33400e8b41df22
              • Instruction Fuzzy Hash: 70B15F70B042598BDB24DF58C894BA9B3F6BF44704F1485E9D80AEB250EB71DD85CB25
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
              • Instruction ID: df12108bb9cca385aadb9dff0f2c63bfce92ffae2e8c97025cffff0c2cd10633
              • Opcode Fuzzy Hash: ec643b313a67aa30f073921b57483aa966a4ec318d974ca36980a331fbfaae56
              • Instruction Fuzzy Hash: 56A11432E046189FEB21DB58C848FAEBBBABB45714F150965EE01EB2D0DB749D40CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
              • Instruction ID: ba6f3d25eac641a77e5b3ac82c1f3c44c1ddfd51f9a72f10652945c9ddc1bb63
              • Opcode Fuzzy Hash: 2be224c7c6dab85e870cbe285e1ccf1f97cd5e86ed8ec013b3ddcfcaae9f3790
              • Instruction Fuzzy Hash: B8A18E70B00619DBDB24DA69C994BBEBBA6FF44359F0040ADEE46D7281DB34EC11CB50
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
              • Instruction ID: 61083b6807980712fb91cd539e4497e9e98ce6b1370f68d1591c74b6888f7b7b
              • Opcode Fuzzy Hash: ccef32c50b4efcb82f4a28e6f3d8840121a50e732a14cb5dd694d06b06e581de
              • Instruction Fuzzy Hash: 7BA1DF72604701AFCB55DF28C980B6ABBE9FF48714F440929F989DB250C734ED91CB92
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f8410257aa2367191470288f4c44cdbc8f7e116d2e18a2371cd67ff9b8c94b7
              • Instruction ID: b94c38a21911c63943186635293a3c598c7a2090b75f493e398289d48299743a
              • Opcode Fuzzy Hash: 3f8410257aa2367191470288f4c44cdbc8f7e116d2e18a2371cd67ff9b8c94b7
              • Instruction Fuzzy Hash: 09B10774A04209CFCF25EF19D481BB9BBA1FB44258F14459AEC26DB296DB31DC46CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c74742520358d81bd76ce56f9ef8549757a865f32fae55b0b1a7a3165e634e21
              • Instruction ID: d318e2f423930224abe8bda0594eb04b85f933b5f010f492dbd8f192380773b2
              • Opcode Fuzzy Hash: c74742520358d81bd76ce56f9ef8549757a865f32fae55b0b1a7a3165e634e21
              • Instruction Fuzzy Hash: 64B100756093408FD754CF28C580A6AFBF2BF88704F184A6EE99ACB352D731E945CB52
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction ID: c27efa377c92bd3c6ee8c21a53893367289daca88049ca3dcc70bd80ccb5fb59
              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction Fuzzy Hash: EA716D35A0421ADBCB20CE64C492ABEBBEBFF44750F59455AE842EB641E734E9418B90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 87595edaaefdbe301a77955327d99bdfac177e99b38e12d1394c1bb85af59b9b
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: 27817972E0521A9BEF24DF68C880BADF7B6FB85304F19816ADC16F7344D635AD408B91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
              • Instruction ID: ec991e97e03cf0630c20d5aa04162a30f802c71eb8aa9ba57b6573459f61cb97
              • Opcode Fuzzy Hash: 119f21c2ce867a9d95b144a2b66f88107b757f52c83327116b3c5671b6a54557
              • Instruction Fuzzy Hash: 2D71AE75905669EBCB29CF59D490BBEBBB5FF49710F18411AEC42EB250D7319C00CBA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
              • Instruction ID: 7b75577a58592934f06b2525393abf558cfcda6caa5dc199b19b58855e138807
              • Opcode Fuzzy Hash: f36f31ea2e0e7bafb1a219a525a206ee1f448acb32198843582bcafd6967597c
              • Instruction Fuzzy Hash: 7B718C79704281AFC716DF28C484B2AB7E6FF84214F0885A9EC9ACB751EB34DC45CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5ea3af8ea2f7bceee209ae0278620bf2fd0ad7205acb02331b821424c3d0888
              • Instruction ID: 9069d616dde9de085e5339689700b535c6eb0eca9d15e4d973fb867470db1731
              • Opcode Fuzzy Hash: f5ea3af8ea2f7bceee209ae0278620bf2fd0ad7205acb02331b821424c3d0888
              • Instruction Fuzzy Hash: 586189B1604716AFD725DF68C888FABBBA9FB88710F004619F85987240DB34AD14CF91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a7fa3857182813892bd19fb00749c0b23ce81b9cdd676e761c62330624faba0
              • Instruction ID: b0b1af3c5ad22836738a8c172989cbedd37f31a1bc2e1b89708fb72da7a7ad50
              • Opcode Fuzzy Hash: 6a7fa3857182813892bd19fb00749c0b23ce81b9cdd676e761c62330624faba0
              • Instruction Fuzzy Hash: 167155B6E012199FDB14CFA8C541BACBBFABF49314F18806AD845E7391D735AD41CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5836d282a77a390e27572e070057607584052e50d5f0d6b53f4c5bda5700763d
              • Instruction ID: 075d4e0b516e984d4b427634ee981c2b183aa29288c383e94ce1fdb0b73b7f9b
              • Opcode Fuzzy Hash: 5836d282a77a390e27572e070057607584052e50d5f0d6b53f4c5bda5700763d
              • Instruction Fuzzy Hash: F4613075B04606ABDB18EF68C484ABDFBB6FF84304F24816AD819E7300DB35AD45CB94
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5245079f5458c6f8a8d62f9a455bacd029ea0f766dea3a32845d8d7627561f98
              • Instruction ID: 7ec352f8d49498a077aa8d4565bd675a3fed9780a7bd8b9a268f34bbd79d9998
              • Opcode Fuzzy Hash: 5245079f5458c6f8a8d62f9a455bacd029ea0f766dea3a32845d8d7627561f98
              • Instruction Fuzzy Hash: DD518271214344ABE720EF18CD85F6A7BA8EB89724F10062DFE56D7191DB30DC01CBA2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2ac5a0cbe77bc6146844377f528e5853f16ab1f555122f946bf9d04c51bb95b
              • Instruction ID: 56dbc153abddb5e78f259c7eb9e7b4ca093c5b66e459f834d412e74783d0b254
              • Opcode Fuzzy Hash: f2ac5a0cbe77bc6146844377f528e5853f16ab1f555122f946bf9d04c51bb95b
              • Instruction Fuzzy Hash: 5E518C71A04308ABEB219FA8CC85BADBBB5FF46344F20412EE995E7291DB719C449B11
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5848bddf37cd1208ca92b38463a1ac07ce1b04c933ca5b934506d13a6c7b2b5b
              • Instruction ID: 8a443f483dda8298c41fd1a85bffa81c6fe68e68aea7f3c4e6cfcd87012261a8
              • Opcode Fuzzy Hash: 5848bddf37cd1208ca92b38463a1ac07ce1b04c933ca5b934506d13a6c7b2b5b
              • Instruction Fuzzy Hash: 69510179A0461AAFCB19CF68C485AA9B7B1FF44710F088A65EC55DB740EB34ED91C7C0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
              • Instruction ID: 1a58baa84811fe3d1e5417b020af870165c5abff5804cedccc39b6988ea1a3a9
              • Opcode Fuzzy Hash: d425d17b17edcd2955328a6127eabf3884ae6d78815aafae0e40aa9e84944caa
              • Instruction Fuzzy Hash: 4B515D71200A04DFDB25EF68C984EAAB7BEFF08744F54086AEA56D7260DB74ED40CB51
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c9f67b3e992354f441c2159f46f50271f3f812e253b9dce4c7950129c71b802
              • Instruction ID: 4bca47630731e392215363f9275480f6daaaea274c56fcb2468d429c93d25a32
              • Opcode Fuzzy Hash: 9c9f67b3e992354f441c2159f46f50271f3f812e253b9dce4c7950129c71b802
              • Instruction Fuzzy Hash: FF51DC35A04609EBEB15EB68C948BBDBBB6FF45715F204029EC13D3690EB74AD11CB81
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 3438a79a5518ca16de26cd39f7faa4328937849c8d8b63096c42ed5fb6b8afac
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 38518A76E0424EABEF16DB98C440BAEBBB5AF45754F044069ED01EB260D7B4DD44CBA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 701c0fe82aa182cace1ddd5e041d58dfb0a027b3baf426eab29c9dd848030241
              • Instruction ID: f0f74d4a8ddf37e678caf9867bc465af5d9c084013e796c80f1a39536e3e5f38
              • Opcode Fuzzy Hash: 701c0fe82aa182cace1ddd5e041d58dfb0a027b3baf426eab29c9dd848030241
              • Instruction Fuzzy Hash: 2B517A71B05719EBEB21EAA8D848BFDB3B6FB05719F040419EC06E7241DBB5AD408B51
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e25dd678c5bb3b7511eaa7a423346c7d3380c930e0581f2927a73cbaa9438b2
              • Instruction ID: bd90ebfebcdf1a21dc3c9f2cf300029c0e1755d5c5334b081a89406592ae6e3c
              • Opcode Fuzzy Hash: 3e25dd678c5bb3b7511eaa7a423346c7d3380c930e0581f2927a73cbaa9438b2
              • Instruction Fuzzy Hash: F641B976E05229ABDB21DB988844AFFB7BDAF45754F0501A9ED01F7300DA34DE0087D5
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction ID: 5588da6e2e4935b6db1dbc8ba08b909d23c3105de6f31df0cf5ed1a114bbf04b
              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction Fuzzy Hash: 25517C71601606EFCB15CF14C581A66BBBAFF45354F1984AAE808DF222E371E959CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
              • Instruction ID: 1b0d50eb3b89d8c4b6d38746d5d2422ae05d22792c4df740139ab60032abfafc
              • Opcode Fuzzy Hash: 78fa8883e557bae077329b76e50eb5026d8e56bd1bff4a26dd1496b60a535f0f
              • Instruction Fuzzy Hash: FB41E7717443099BEB18FE699886FAA3A6AFB48714F01012EFE02DB351EBB59D00C751
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65acc356062c940c257adfc144e0f6acb97a341fdd194d66fe26878acafdfda1
              • Instruction ID: 0f692b52949256e178c67fc89707b535742856c507836c0688256ae9baf85696
              • Opcode Fuzzy Hash: 65acc356062c940c257adfc144e0f6acb97a341fdd194d66fe26878acafdfda1
              • Instruction Fuzzy Hash: A0518C327096958FC722DB18C444F7A73B6FB86754F0909A6FC06DB691EB34EC44CAA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
              • Instruction ID: 59831028423cbe6543e8cf60d9693297b7e7503da94de97666242e770cc8f0a9
              • Opcode Fuzzy Hash: a59bc54eec7f15446618f38a1b34881ae64cdeccbb932572b26914f1eda95f36
              • Instruction Fuzzy Hash: 2141DD35A00218DBEF15DF98C448AEEB7B9BF48604F14826AEC1AF7340D770AD45CBA5
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: 3fc787db7337d1cffe5eaaf1c165a4f3120b75f2169b7b0a3b029d4789846bfd
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: B7514C75A00619CFCB18CF58C580AADF7B6FF88724F2481A9D959E7750D730AE41CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
              • Instruction ID: 4fd0b5d8daa493b7aa5f8c89702a29f27f435b469fcc94fa13fa4c5e7081ca94
              • Opcode Fuzzy Hash: 8603a316bb9bd4feda6a088dd1ffd3c211b9b5c750c0f231febf3ae5f8ce54ba
              • Instruction Fuzzy Hash: 8851C470A0461ADBDB25EB28C809BF8B7B2FF11314F1442E5D92AE72C1EB749D81CB41
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b951443b9127b5a07fe9a6e79dd11710440488ebd971a43d8a5ed2ebd7311bdb
              • Instruction ID: 58acc9a01fc50575e150fac60d99266b7453c75f5ba629f719e1a3346614aed7
              • Opcode Fuzzy Hash: b951443b9127b5a07fe9a6e79dd11710440488ebd971a43d8a5ed2ebd7311bdb
              • Instruction Fuzzy Hash: 35417BB1651709AFDB22EF68C884B6ABBEAFF00694F044469ED55DB250E770DC00CB61
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 302dd57e67799c1c5f9388c4d7565704a3bb5d9f63e0df696cea90b260d68c8e
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 9141B275B10205ABDF15DFA9CC94EBFBBBEBF89240F184069E801A7341DA70DD008BA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
              • Instruction ID: 7fdfbdae22071c7d1b75980755d98b8e9ba9447e713420a2537602f6672f2ee7
              • Opcode Fuzzy Hash: afb2e99ce57ac2c47bc5d17f06b11df60e8d4b1818810cc7cb20b3713bef14dc
              • Instruction Fuzzy Hash: 1E41BF32A49208CFEF19DFA8C8947A97BB5BB09314F140156E826EB691DB34DD40CBA4
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c03573678a04a019ce9f05e32f7bda33c0dff209d57fada299d0f37c03ec99a7
              • Instruction ID: 22709090d8612a6bea335b6ea7b53e496ba4aa8ca75239910df9c27c83a9c482
              • Opcode Fuzzy Hash: c03573678a04a019ce9f05e32f7bda33c0dff209d57fada299d0f37c03ec99a7
              • Instruction Fuzzy Hash: D441B1762193049BD720EF28C994E6A7BB9FB85720F01456EFD16C7291DB30EC01CB92
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: d9bb92c1910d0f932571674d8fc6787381d684aabb50edbb5c22efc6d4ca1fab
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: C7411931B08219DBDB28DE598444BBEFBA2FB40756F16846AEC46DB240D631DD40DFA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 77e22617dc794e403b5a39541f46546d4d7f52235fc1d3698f11287402fdf60d
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: E6411675A04705EFEB24CF98C984AAAB7F9FB08700B10496DE956DB390D770AE44CB94
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
              • Instruction ID: c324894a08766b5f5f41c7ca904cc4db06ee4de12ffdeb625311c490a966fba8
              • Opcode Fuzzy Hash: 3ba416bd55b306cffd505a51d7765816edaffdbcf6997d07db223099c6059c5b
              • Instruction Fuzzy Hash: F4414875605B08DFCB25FF29C944A69B7F2FB84214F1482AAD917DB2A0EB309D41CB52
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
              • Instruction ID: 4651e63935aba0f060af1fa275c0b26ed9e146b8f379d48c13f30c38fb9e0e6c
              • Opcode Fuzzy Hash: 6876cc78266b85a8408f905529d4d466a35d8547c37e07a579ddf141693f1b7a
              • Instruction Fuzzy Hash: 2A41C0726087419FC320DF69C844BAAB7AAFFC8700F440A2DF895D7690E730E904C7A6
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1011fddb2f5c1c534248001fd76ec8898537ff32cda8b336f9682ca7fc2bf88e
              • Instruction ID: efa11f6b528ca1cb2ea8440a668b20f96123ecf3428e13f8824b83cbfdc1e02d
              • Opcode Fuzzy Hash: 1011fddb2f5c1c534248001fd76ec8898537ff32cda8b336f9682ca7fc2bf88e
              • Instruction Fuzzy Hash: 9F319C31301A16FBDB55BB64CA84EB9BBA6FF44718F409025ED02C7A50DBB4AC20CBD1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: 44cb2f0b41479d3cb516deb5cab1b941dc439623771c1aba763a5c3356e8f6b9
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: 0A31B4327083459BFF21EA18C800B77B6A6BB85754F49852AFC95CB295E674CC81C792
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f3698efff5bb64d2a0c2a7119ec1d34d7ad145a7a3c17f639b88669de05d2bb
              • Instruction ID: aa1c414e893a0cc65274d96aeef324ad85f718567c254a986b44914b4d50be0d
              • Opcode Fuzzy Hash: 3f3698efff5bb64d2a0c2a7119ec1d34d7ad145a7a3c17f639b88669de05d2bb
              • Instruction Fuzzy Hash: 5931F472604608AFC721DF18C840A6677A7FF85765F14426AFD45CB291EB31ED42CBD1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
              • Instruction ID: dc28f8ab89beef95b2ec64208ee58a1d49abdcc75702d11446de7202c368731a
              • Opcode Fuzzy Hash: f4c53378244f9666c3deeba6c06f3eda548ba4b0cf4f3975cb9fbac973b7e462
              • Instruction Fuzzy Hash: A231E1B6A0021ABBDB15DF98CC44FAEB7BAFB45B40F454168E900EB244D770ED40CBA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
              • Instruction ID: efaed334c277b11dd9b85f8d938dcf57ef0f5dabfbe1422560e94ae74b4a025b
              • Opcode Fuzzy Hash: 1749f5ece76c9871bc2396d3fa9fc63c1ddbe795028c25788d08fc421848f649
              • Instruction Fuzzy Hash: 1C319132B04719DBC712EE288C89E7BB7AAEF94754F014529EC55DB310DA30DC4997E2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
              • Instruction ID: fcd75af4617bad98d326e6a68ed8b0f2deae5d5eed657ab208b3e6fed2264c0c
              • Opcode Fuzzy Hash: 2aeb17018ad7fa60a76cae938699d086accd05d8a156e9621f4c235e2045ee50
              • Instruction Fuzzy Hash: AF31C2B1700605AFDF269F99C950E6EBBAAEF89754F04046AE509DB341DB30EC008F90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
              • Instruction ID: 9742e36aa42dcdd6c1afdda44e122cd32ddb08cd7d1b22526785e608604454db
              • Opcode Fuzzy Hash: 7b9f6f9096ac5bac2cb52137c42172dd4c94c6e215059f0d481420af646af8df
              • Instruction Fuzzy Hash: 083146766093018FE321DF19C940B2AB7E9FB88710F45496DEC86DB291D770EC48CB92
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction ID: 95af9328388e0a9b2181a1051ecb209347afc4538cf36d57b4b4ff81c4a25869
              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction Fuzzy Hash: 9431957660620CAFDB21CE58C984F6EB3A9EF80794F1984A8ED16DB251D770DD40CBE1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99ed2ba81b94446942b7c5382b81b35beefea4cea403e2edf27d4fa50def1793
              • Instruction ID: 7b20a2be951ce5b00d3a3b361edd17d61c2f3a53cff07cef2b06a7e61ef03afc
              • Opcode Fuzzy Hash: 99ed2ba81b94446942b7c5382b81b35beefea4cea403e2edf27d4fa50def1793
              • Instruction Fuzzy Hash: AF315835715A09FFDB55EB24CA88AAABBA6FF84314F545426EC01C7A50DB71EC30CB81
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 830eed18d3919c34279a9b511c1755dbc51ccf98994a4e219f4b8109225fdd3e
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 1F310C72B08701AFE764CF6ADD41B97B7F9BB08A50F14452DA99AC3750E670ED008B64
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: 5ab39514c9e0c54802240ec2ffdf51fdff87531a68bae2eef404407190178c19
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: F9316C75604206CFCB10CF18C480A56FBF6FF89314B2986A9E959DB315EB30ED06CBA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
              • Instruction ID: 2ffa163bb80b664131e637f3be263832707bdbcf7f0faa3e39bff7057577cf91
              • Opcode Fuzzy Hash: 3f84dc34305631bf7242b2bba96310eb4d3c88decc6db70a326cf388039aaec0
              • Instruction Fuzzy Hash: 7C31CF32B066059FEF25DFB8C985A6AB7FAAB80304F10842AD856D3264E770DD41CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
              • Instruction ID: 0e1bddb1c9f9b9f111321853b946a845f38503355ab3f1ae34da74d78970778e
              • Opcode Fuzzy Hash: 8ea579d799ce435aed439ec952fd4bbfa11560d3dcfb9c046028a684cc4c4520
              • Instruction Fuzzy Hash: AE31A232A01A2C9BDB35DA28CC41FEE77BEEB05744F0501E5EA45EB290D674DE808F91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
              • Instruction ID: 74e7de1cd0d2046659038e73a01ccbb59a5af6d7117f4c5cf0e2319d4dd0af9b
              • Opcode Fuzzy Hash: 67404678517b3c3749f0cca0d062289809245603b91e5f77ff614f5baf339c8b
              • Instruction Fuzzy Hash: 8431F6B66013009BCB20AF28C845B79BBB5BF81314F5481A9DC46DB342DA34DD86CBE0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 75ea992ba155c1c4e1bd6e23dfbf96457e0c9f5feea478256910d96dc0a71d50
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: F4213B36700A55E6CF25AB989805EBAB7F5EF80710F40901AF995DB651E634ED40C361
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 20ef7c289f9031615a7994dda47edad6d3d217e68613c9d5265f61e69d36da11
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 0A216031A00608EBEF15CF58C985A9EBBAAFF49714F108069ED15DB352D6B1EE058B90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
              • Instruction ID: 20512cc5d9f72c3a4ca1e66c67b8516dc43ccd09681fa2b974fffb15f7f99289
              • Opcode Fuzzy Hash: 6ad95dee2bebe8500c12cca954b445c2b9d5ebebbe8281dc8ed8ad4e8f0ca745
              • Instruction Fuzzy Hash: 6621A272608B459BDB21CE18C841BAB77EAFB88750F044519FD55DB351D7B0EE00CBA2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
              • Instruction ID: e06ca3245a87469e610dfe5823a9eea7c1b90e29cf8eb20aa02e2dbc7c066de2
              • Opcode Fuzzy Hash: ac2ca911106948aa268886656216f20edc9964a19d2cf6d55316ab08b3c9aa94
              • Instruction Fuzzy Hash: 37318D75600209EFCB54CF18C8849AEB7BAFF88304B11445AED0ADB3A0E735EE50CB95
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: f1222f772ac424432bee10db65c0317b36f6434a406dbcb1cf6c17c388512577
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: FB316B31600608EFD721DB68C888F6AB7F9FF85358F1445A9E952CB290E734EE01CB51
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21172341dde40b3086b361024ae5a9b7b03273e1defc2e6d77d0aee4d5faded9
              • Instruction ID: 8ce92a725abea95b7ccea004945a98967fccf11f7700283409835945944c6af5
              • Opcode Fuzzy Hash: 21172341dde40b3086b361024ae5a9b7b03273e1defc2e6d77d0aee4d5faded9
              • Instruction Fuzzy Hash: 8021F671609708ABDB14FB68C948F5B7BE9AF44658F04082ABE05C7250EB30DC04CBE6
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c56a7a15bc4dbc3932da40d15d940316e38f9f1fa354745897dfbf5825b482c5
              • Instruction ID: 3852d2d2780580b89c077272d105caaee9ce4dabf966eb5594e1df638460cbc0
              • Opcode Fuzzy Hash: c56a7a15bc4dbc3932da40d15d940316e38f9f1fa354745897dfbf5825b482c5
              • Instruction Fuzzy Hash: 5B21C331209B549BCB21FF19CD59B36BBA2FB80F14F590969EC468B650DB70EC44DB82
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
              • Instruction ID: b422e3849b7f16ef0d0a509710b283c4bc320290b658c04ca9f18fcbfa678297
              • Opcode Fuzzy Hash: 27dab7cd89f7f67209f070187b9b5335c5fb2c03404aec3b69f565281a80c6ac
              • Instruction Fuzzy Hash: 9921A071A006299FCF14DF59C885ABEB7F9FF48740B54046AF841EB250E738AD41DBA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0135ac0e8deb9716503cb4de8b4a5eb599ff126fabe776c587374f1759ad021e
              • Instruction ID: 73fc9b87e1973d32d69996dc5d7621d2095b13c7e60416d3c7ef361c9040bdf9
              • Opcode Fuzzy Hash: 0135ac0e8deb9716503cb4de8b4a5eb599ff126fabe776c587374f1759ad021e
              • Instruction Fuzzy Hash: 27210730204B08DBEF35AA25CC54FB677B7FB85224F10061AEE56C66A0EA75AC41CB52
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
              • Instruction ID: 03ceca5cc30851f51da606fbd017a9ec449e470fc2a1d5b14d564b2bfc1b49b7
              • Opcode Fuzzy Hash: 2b12f4e5086019bd2801eb83d4bba6bd1edeb0df0dfe3ad92fae571b3ecb24b5
              • Instruction Fuzzy Hash: 5921AE71600644AFDB15DB6CC948F6AB7B8FF88740F140469F905DB6A0DA38ED40CBA4
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction ID: 4879bcadbec7d719938c6d5761b44bea126b1f64530af1688bbcfe67d73567aa
              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction Fuzzy Hash: 1721D172604685DFE71ACB99C94CF3177FABF45B48F0904A1EC06DB292EB28DC41C651
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d1a65963fc7f21d103d5f49c0bb066f53789ae65ae23baabed0bbc583a0ecec9
              • Instruction ID: f6b48774076bd9f5e14d10edaea9837da34f989a45a95dd9f2754adefa5fed14
              • Opcode Fuzzy Hash: d1a65963fc7f21d103d5f49c0bb066f53789ae65ae23baabed0bbc583a0ecec9
              • Instruction Fuzzy Hash: 91214472210B04DFCB26EF28C946F59BBB6FF08649F184969E40AC76A1DB34E904CB45
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
              • Instruction ID: 4e1bbc39eee10c326fc35d26a437ad450093179e68c8a13c9fd36ddc9bc39592
              • Opcode Fuzzy Hash: f024bf538917ffaa4529b38bb5085c417f9743e1b8cc7dd7d5c0a10086ee8058
              • Instruction Fuzzy Hash: 6811B231700A149BCB11EF49C580A76B7F9FF8AB10B984469ED09EF205D6B2ED018F90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: d8f1d0123fa6b3f111e6725b97eae0d056a00aa2a5b2d3751bbfa78046420f0f
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 8311D372600704EFE7269A48C849F9B7BBDEB80754F140029EA00DF290D6B1ED44CB55
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0bc2bec214d9b8b9766535d36060d9abdde3a699d3789ed470defc7fe94184c1
              • Instruction ID: e8169189f24761dfee272ed1f599c5187529df80147ba99611e20b2c170ccb6b
              • Opcode Fuzzy Hash: 0bc2bec214d9b8b9766535d36060d9abdde3a699d3789ed470defc7fe94184c1
              • Instruction Fuzzy Hash: 2A21A171A047098AEB25AF6DC8487BE76A4FB84718F298428DC12972D0CFB89D45C755
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
              • Instruction ID: d549530407c4664f826fdd454e3e73444e14b007267d515e3f86a97463d37495
              • Opcode Fuzzy Hash: 0013b9c4b9838a64e6508440d52ae6ab003773a401251f4f4dfc2f809a7c2c56
              • Instruction Fuzzy Hash: A4214975A4020ADFCB14DF98C581ABEBBB6FB88718F64456DD505AB310CB71AE06CF90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
              • Instruction ID: f8694d9ea40d140a9b485dbd1691270b5300544e40a8deb04d96029edf8a48ff
              • Opcode Fuzzy Hash: 5c0ee203a52f2cb6d95a264fa07ead456084afad801a28caf3811351939b2eac
              • Instruction Fuzzy Hash: A0218E71614B04EFDB20CF69C881FA6B3F9FF44254F44892DE89AC7250EA70AC40CBA4
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
              • Instruction ID: 5584bda5a82a77bbeced5b11f7b10b2d0831e5e96139862be41b74324526d094
              • Opcode Fuzzy Hash: 25c950967dc69ed713295b77655f86de2b4cb76cb3013d7cbc04c6c3af17e87c
              • Instruction Fuzzy Hash: 3311B276A012459BDB24CF5AC580D9ABBE9AB84650F15417AED05DB310EA70DD00CB94
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
              • Instruction ID: 7644578412d78fd2fc09c41338ea252766d409f93092fc3c4476c3c024b4cea7
              • Opcode Fuzzy Hash: 4e5a5c7f1584b9ddcd1f22ed46248fd3bbb24b761c68c8a6396da28b9409ceff
              • Instruction Fuzzy Hash: F5010476309648ABF32AA26D988DF377A9EEF82755F090061FC02DB240DA24DC00C2A1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
              • Instruction ID: 47ff8ca407241ab5ceeb819ab6cba16c82f530c191f0a5f16a49271d4e03d90a
              • Opcode Fuzzy Hash: 84c4dbdfc846cae02510397e5415faaf9d671133a0740cbe4b28b07c8fa4e620
              • Instruction Fuzzy Hash: 27118C36204A4AAFDF25EA59D944F667BA5EB85B68F044129FC05CB260C774EC40CF60
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction ID: 6b9e2239a7971c275517d349285b70ec4dda224d0f09a23155341dc78a8acc77
              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction Fuzzy Hash: F70188B570430DFB9B15DAAAC955DAF7BBDEF85A84F080059A906D3210E770EE01C7A0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c90fcf622fadb44b887ff9e972c3249247bffbf6e9d51baec0d265cf06f823ef
              • Instruction ID: 15b36122903fde7e2939ebd9f87033cab8c754c9f5c0f0f51e83173b76c81849
              • Opcode Fuzzy Hash: c90fcf622fadb44b887ff9e972c3249247bffbf6e9d51baec0d265cf06f823ef
              • Instruction Fuzzy Hash: DC01D673700744ABE710AB7D9C85F6B77E9EF85215F040069EF06C7141D670ED008622
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
              • Instruction ID: b7756079dd9776b3e7977064b12b37f569e1ffa93370d2eb081f5832888815e2
              • Opcode Fuzzy Hash: 3de94d9128dd2bc5bcfb15acb415a6c0e0dffd2188f9a5a501c939f5131f053e
              • Instruction Fuzzy Hash: C311A072A00714ABEB21EB5AC980B9EF7BCFF89640F540455DD05E7300EB70AD018B91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 0622e31acda66d5468e5f0aec57226ce67d36b022870d2bc1d07797cce2da1f8
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: FD11A1723066C59BEB229728D968B3577E9BB4275CF1D08E0DE41DB692F728CC42C351
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 4dd18a76ef3410c67b1d010914d393a3e2c2515341049b4f31f8094210e854bd
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 0401F1366002148BEF14AA29D880EB2B7A7FFC4600F5945A5ED07CF246EA719C81D3A0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
              • Instruction ID: 335bcbece5a56dba2c756579045f6bdab1cecd0465ac1a9f59993f9a47aeb5d3
              • Opcode Fuzzy Hash: 1497ec61cef921d03ff30a42738f700f6eaf80432cc0e03cd0e19bb5154039d5
              • Instruction Fuzzy Hash: A5018471301B047FD715BB6DCD84E57B7ACFB896647040525B909C3551DB34EC01C6E1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
              • Instruction ID: 2160742672d5c51eac9fb3afc7beb48e95d292df27042405b291069485e396be
              • Opcode Fuzzy Hash: 015334a397645ef81baafc562721b0f844f7406fd38861b65f641f176936366d
              • Instruction Fuzzy Hash: FF116D35A0120CEFDF05EF64C855EAE7BB6EB88254F004099FD06DB290EA35EE51CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: a5122bd7e6d264008330a94c55cc937fd44d09fe6f169a8ad2a306bb898e034d
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: D101B5322007099FEB22E669D804EA7B7EAFFC5254F044819ED46CB540DE74ED42CBA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3be27ca9d9e67bea297e656d9d1cc6967d43fc745cd412b2068060c701a12791
              • Instruction ID: 936a6212fd0a8f21e6b571c58269cb0b14e66640106944c08ae39f3816bb7d1c
              • Opcode Fuzzy Hash: 3be27ca9d9e67bea297e656d9d1cc6967d43fc745cd412b2068060c701a12791
              • Instruction Fuzzy Hash: E5015E71A11348EBCB04EF69D856FAEBBB8EF44704F00446AB900EB290DA74DE41CB95
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95e7640196deea9eb7accee310ca63492446fa547750f4d922f6cdaaa2e1f3bc
              • Instruction ID: f4bcef9bff4982043f792b3c4bb03fa5387c3920f3d1b97ae98de81969bc0665
              • Opcode Fuzzy Hash: 95e7640196deea9eb7accee310ca63492446fa547750f4d922f6cdaaa2e1f3bc
              • Instruction Fuzzy Hash: 40015271A10348EBCB04DF69D85AFAEBBB8EF44710F00405AB900EB291DA74DE41C795
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 352d91deab5beb45581a3cd345a60b6e7067c93383490f47f83c192a739c3994
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 1B012871706684EBEF11DA54E404FA9736EAB84624F104155FE25CB380DBB4EC41C781
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: 0da1ec344459d944eefff2701ac4d49edbc7fdb0ae082923a157a916867ec648
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: 9A01D633305205ABEF13DAAEDC04E9F7AADAF95640B140829BD06D7120EE38DD01C760
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 93ec14dc91128ad8f462278b07b9469917bc86ce250b379b6093461711e06623
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: A3012C72204684DFD72AD61DC948F36BBDDFB85B54F0D04A1ED06CBA91E668DC40C661
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
              • Instruction ID: 8aba56834927e6f602f6874021911cd5790d5b89d482891387a87dbda8f73fa2
              • Opcode Fuzzy Hash: 2808078b04d4748392533e7517a1cf64ec0ddb7ecb4b384a10837ff02a0c5009
              • Instruction Fuzzy Hash: 88F0F932741B10B7C731DB5A8C44F27BAAAEB84F90F144428A906D7600CA30DD05DAA0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 983d96ff1fcc78b0fc26c3c7e56c4859363f5c29a3b4eb8cc726814cb65ab372
              • Instruction ID: f94db7ac1dea1e4df6fd38b92aa98c0bdfffe80c81dbd6f902c6beac45b93add
              • Opcode Fuzzy Hash: 983d96ff1fcc78b0fc26c3c7e56c4859363f5c29a3b4eb8cc726814cb65ab372
              • Instruction Fuzzy Hash: EF116D75E10249EBCB04DFA8D445AAEBBB4EF18304F14845AB815EB351EA34DA02CB95
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7a25d6d32479c8608c4748866547dbb4affcd077f3e9bf33bacd1e23731eaa2
              • Instruction ID: b50f8c5ac7b84f6f8234ecc6e8ea674fad630214665ce34bac162b16a160f8a9
              • Opcode Fuzzy Hash: a7a25d6d32479c8608c4748866547dbb4affcd077f3e9bf33bacd1e23731eaa2
              • Instruction Fuzzy Hash: A7111B71A10249DFDB04DFA9D555BADBBF4FF48300F0442AAE909EB382EA34D941CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction ID: 7df02a90741be79b8194e9b322e3b00c692cabad3e2814e6ef6ef92ca94de9bb
              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction Fuzzy Hash: FCF02273A05214BFE719CF5CC880FAAB7EDEB45650F054069D901DB271E6B1DE04CA98
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b131cba1e4788bc4d70fcf2bc361f037a464df8c9854158d9184451bba2b0dae
              • Instruction ID: 17aa7fec2c5e976d0be92a3bb3583115dd262858b89ef2030c9b7d4fa9e9b3f3
              • Opcode Fuzzy Hash: b131cba1e4788bc4d70fcf2bc361f037a464df8c9854158d9184451bba2b0dae
              • Instruction Fuzzy Hash: F8012171A1030D9BDB04DF69D9559EEBBB8FF48310F10445AF901F7351EA34DA018BA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26d9dca2f01b04c4ccfac99a04ed952f8ef4966e1d8437cb61e85b3a853cee20
              • Instruction ID: fed2364ab415fee291a795d085110972fc6bef12d956cc6ebd68fe406bb0732c
              • Opcode Fuzzy Hash: 26d9dca2f01b04c4ccfac99a04ed952f8ef4966e1d8437cb61e85b3a853cee20
              • Instruction Fuzzy Hash: 61015AB1A00309ABCB00DFA9D9459EEBBB8EF48314F10445AE900F7291EA34ED018BA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba4375ad639032531153e0f19686c829d44fd1612111637f2752f02bbc5bbdf9
              • Instruction ID: 324f488e2c2debc376cfece25ba541c1cac9a762ec14cfaa80da944945c47035
              • Opcode Fuzzy Hash: ba4375ad639032531153e0f19686c829d44fd1612111637f2752f02bbc5bbdf9
              • Instruction Fuzzy Hash: 89011A71A11309ABCB04DFA9D9959EEBBB8EF48310F10445AF905E7351DA34EA018BA1
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: d26a864e4505500d1cbe5883a3129c0b2de7fe4f50b2d44df688f8fbced2de28
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: A9F04FB3600A15ABD725CF4D9840E57F7EAEBC4A90F058169A955D7220EA31ED05CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67b33fe9a1065c4476f180a5aa93e4362e2b65c34c16835733473cad8126dcaf
              • Instruction ID: 147b1f5e48e2df61595f6f6c09b6bfe0d9c36d8e0f993fabfd8d0aaa78c3def0
              • Opcode Fuzzy Hash: 67b33fe9a1065c4476f180a5aa93e4362e2b65c34c16835733473cad8126dcaf
              • Instruction Fuzzy Hash: 690129B5E00309EFCB04DFA9D545AAEBBF4EF48300F00806AA805EB350EA74DA00CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
              • Instruction ID: 86026646212b6515779c8983e761b57a49fead0f5806b3d8de13f73dc03723ca
              • Opcode Fuzzy Hash: 6f30d2f46da0c9a25caa112c1d5e0db82b9139b3d4edf9a51adc70bf0d08ed20
              • Instruction Fuzzy Hash: 56014F71A113499BCF04DFA9D855AEEBBB8EF48310F54405EF901EB290EB74EA01CB95
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
              • Instruction ID: 0d7cad569f7f7d5a02cc47ae4f8fbc62bd7992246419f21720abe5413738972a
              • Opcode Fuzzy Hash: 5f8407c30ec268efb2a56889fadbd32fdc26081681ef12d627a1fdb49b92dfce
              • Instruction Fuzzy Hash: F4019736210209AFCF129F84DC40EDE3FAAFB4C764F069511FE1966260C636E970EB81
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
              • Instruction ID: 0524f104d8acca5ad070bafedfa71a42abf5783d1c11480ec22081b4dd6b7be6
              • Opcode Fuzzy Hash: 0920ee90354ed3308bf84648a592ba6236293137cc8b68d2eb7dfbdc2084c27a
              • Instruction Fuzzy Hash: 7C018170308784DBF722976DCD48F7637A9BB44B04F480595BE12DB6E2FB68DD018211
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
              • Instruction ID: fdaf65abdefe448e91a01bc1ed04b34a3f2842505249bbf1c48055f11bf53826
              • Opcode Fuzzy Hash: ad38fd14cd54bd4314c643fb4cf77916b0d08e7a0723a33d4523a8db6d87ed48
              • Instruction Fuzzy Hash: 29F090723042095BE624A6199C51F3237AAE7C06A5F65807AEF0ACB680FA71DC41C3B5
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction ID: 4fea10bb961bbea4c928ff99f02727dbb9f7eba15bb85d525f24c1211d36f7d9
              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction Fuzzy Hash: A6F04476A40204BFE711DB64CD41FEA77BCEB04750F040565A956D6190EA70EE44CB91
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7f98365caa70d8a821ae26d115fbb1aebea24e98d21f73b0512ecafb49549da
              • Instruction ID: 6e96c921a619f1645910dc9c43f1840a485412198fb897bb7d14c41b6ab0c644
              • Opcode Fuzzy Hash: c7f98365caa70d8a821ae26d115fbb1aebea24e98d21f73b0512ecafb49549da
              • Instruction Fuzzy Hash: 4DF04F75A1134DAFCB04EFA8D555AAEBBF4EF58300F108459B805EB391EA74DE00CB55
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
              • Instruction ID: 887d62c935b71f4138a0ad27fa5f64cffb6ea11e989bacacec8b8bcf19514faa
              • Opcode Fuzzy Hash: 2b7f22df9692eab7b035e3e4bd97f0aac7360dd79ff96761a633a39587db5d4b
              • Instruction Fuzzy Hash: E2F06D329166D79EDF22EB588049F317795EB0872CF09496ADC8AC7521C624DC84C651
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6a2fb696e12ea98a1ebfee4edb50ece245e549b5fe936bec255e0945ed87c05
              • Instruction ID: 0a9e6fb3bae1a2c6eab8e1ed1072c6341b47fab81fdb3eeb559cb3484ed78d93
              • Opcode Fuzzy Hash: a6a2fb696e12ea98a1ebfee4edb50ece245e549b5fe936bec255e0945ed87c05
              • Instruction Fuzzy Hash: 29F06271A10348EBCF04DFA9D455EAEBBF4EF44304F044459E901EB291EA34D901CB55
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
              • Instruction ID: 398a975111d84bbb50e956995eb78caa7ccbe6eff12a032ba48d15b08984bb99
              • Opcode Fuzzy Hash: afd5e4293c985d8f886288a2e6d35b95a97c2ca2a214a065510769696042f256
              • Instruction Fuzzy Hash: 63F0276652DB88CACF216B38A69EAA16F69A78A150F091446D5A25F200CA749C83CA24
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
              • Instruction ID: 5b89fd7e91b0c6b4dd37f75869005e6ac164fa6ec91620df4e5126a8325999af
              • Opcode Fuzzy Hash: f60bec51d6f83771867acabeb9431905d142776f09bf44307471220681592112
              • Instruction Fuzzy Hash: B1F0BE716596529BE722D658C148FA273EDAB826A4F08A469DC06C7712C6A0DC80CA51
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: fa70030a53f05cc9213ffb19babc2621cb76aa70660924a6dd6ae1ddd58cc5bf
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 1AE09232300A006BD7229E5D8C84F477B6EAF82B10F0400BDB9059E291C9F2DC0982A5
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ccec65de6d0d35acc89e2e5df6cc9e1a9c06ce2592615bd0691cce79baf8f04
              • Instruction ID: 4c8905392a253c3a3f2e08daab34d4320d9b2f4c217c1a08807eb641b05fa753
              • Opcode Fuzzy Hash: 1ccec65de6d0d35acc89e2e5df6cc9e1a9c06ce2592615bd0691cce79baf8f04
              • Instruction Fuzzy Hash: B0F0B470A1034CDFCB04EB78D455AADBBB4EF44300F108499E905EB291EA74DD018B55
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d449a30cec6eca82c682d4a5ef7e76db60a34a1a4b66b78cc6429c3fbc7b248
              • Instruction ID: cdaeac1d5c872c026034240b4b31306f7bc1305257be635db803daf7277478d3
              • Opcode Fuzzy Hash: 5d449a30cec6eca82c682d4a5ef7e76db60a34a1a4b66b78cc6429c3fbc7b248
              • Instruction Fuzzy Hash: 3FF0E270A10348ABCB04EBB9D45AF9E7BB9EF08304F000498A901EB281EA34DD018715
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2489493d5f54d947c48b52f15f89c24727dabb254de412d105f35c3ce650751f
              • Instruction ID: ee9b83a211b1e628891f62ce65330b20e6e5c0df6a2b1192713d381a9bd51ac1
              • Opcode Fuzzy Hash: 2489493d5f54d947c48b52f15f89c24727dabb254de412d105f35c3ce650751f
              • Instruction Fuzzy Hash: 5EF0E270B01308ABCF04DFA8D55AE9E7BB8EF08300F000498E901EB381EE38DD008755
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee7b55438ae4485f9f584b7c5eae808f926dc73cb142fc23bc43e27eb1947cc5
              • Instruction ID: 0341596f9fa90bdb957626db2bed5706e23dff0982ac38b476711d9476b117be
              • Opcode Fuzzy Hash: ee7b55438ae4485f9f584b7c5eae808f926dc73cb142fc23bc43e27eb1947cc5
              • Instruction Fuzzy Hash: 68F0E271B00748EBCB04DBA8C55AE9E7BB8EF08700F040098E502EB280ED38DD018715
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d70555212f8efb0b5b30e11e9daa93f5cfe5df18579929f58da51090c3bf864
              • Instruction ID: c1b5509d229a23250c511d28abf4ddad9d4a270c56b9f54188aa7ae4002f49fe
              • Opcode Fuzzy Hash: 9d70555212f8efb0b5b30e11e9daa93f5cfe5df18579929f58da51090c3bf864
              • Instruction Fuzzy Hash: E9F05E71A15248ABDB04EBA8D91AEAE77B8EB44304F440459E901EB291EA74E9018755
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction ID: c5e738331cdb140a6620b09dc55dac084990b91350ccc7e41e21eca7d59c9726
              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction Fuzzy Hash: 86E0E533204618ABD6215A0AD804F52BB6AFF507B1F144519A959976D09BB0ED11CAD4
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: ca9ee8ac02876402acf9fe0c5107862d760f36f3a4ce555b24442115001823eb
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 8EF0E53A304B45DBEB15EF15C058AB57BE9FB81350B054454EC46CB300DB32ED85CB90
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: a9a76d7dd882eb0a1752a9db8fb66aa23392c3736799d0c35b20f1c54f71e7e8
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: 8BE06D72610600ABD764DB68CD05FA673ACFB00760F180658B916D30D0DAB0AE40CB60
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
              • Instruction ID: 2714fa4e5eb00bad53d8883855dc9a0149a6cc4abe283e665c37bdc46dc38fe3
              • Opcode Fuzzy Hash: 21e112aff8d712825dc515be148625baeb305007ec2d268a071df4b83b1d06c3
              • Instruction Fuzzy Hash: CBE09272200A549BC725FB2DDD05F9A7B9AEF50364F114519B556971A0CB30AD10C7C9
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: 4fd87e513b279daa6e46efe8a3865fbe257e8af82df3ccbab5b14419b35f15e7
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 3AE0C232385618FBDB226A44CC05F79BB1AEB407A0F204031FE08AB690CA71ED91D6D5
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
              • Instruction ID: b2b46b9538748e038e5605b649329f88fc8c6e3a1e6af24d04d868c883d9e392
              • Opcode Fuzzy Hash: 636b35ca1a6578eb23c7da864d642550ce65785ef30bb6a55af3ef6cd7489af6
              • Instruction Fuzzy Hash: 88E0C233200A54ABC711FB5DDD01F5A779EEF94360F140121F955C72A0CB20AD00C7D9
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction ID: 83850f7de2dba41eb85480047e730de34325261f4bb170529060af5da39265dd
              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction Fuzzy Hash: 38D05B31261750AFD7356F19ED09F827A76AF80B11F0905147405964F0D5B1DD44D691
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 0123e6d204bf153feccf885e3de943de0311bf477e580323854b07e877186fcc
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: B4D0A932204A20ABDB32AA1CFC04FD333E9BB88720F1A0859F418C7050C760AC81CA84
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: e6882d4e27969130f63db5ff0f7da33694ac0c676b3c4f6ec59d7edcede5b3b9
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: D7D0123231747497DF2DA6556954F6B7A16AB81A98F1A046D7C0BD3900C515CC43D6E0
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: cb7da24df23d9f5d3fef850f975309ae70be4cb9d2592a3b85df86a00e1d33b7
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 7BC01232250644AFC7159A98CD01F0177A9E798B40F140421F60487570C531EC10D684
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction ID: 87a682166c7ecaacbacaad815036b8dc14761244bfe1439c79a7635d0a87b81f
              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction Fuzzy Hash: 5FC08C72242A806AFF2B5760C904F3C3650BB1060AF98099CAE45F94A1CB689C028218
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 37b29ac0550f797059d4f1bc70e08bc0e648505c17a3e065d064b8bc9d8cfa3a
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 38C04C75751A458FCF15DB19D294F5577E4F744740F150890EC05DB721E624EC01CA11
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
              • Instruction ID: 2e6f84f9414146dcf09983e5a9b6d32d1cc371a63912e02617bdd8136aa959cb
              • Opcode Fuzzy Hash: d11a881f4ee7b2f5ccef9fbf03d8be18565c2cad7675a683bb3a4c4c51b840fe
              • Instruction Fuzzy Hash: 2E90026670151046414071584844406A16597E13013D5C115A5558560C861C8D59967A
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
              • Instruction ID: 51aa7cbec82f51ea1649aaa853018375080d1ee04428e18d8104b867b310b787
              • Opcode Fuzzy Hash: 5b418f04a9624884d0c3089e638a98fe60b678fc92c10adae7a7b8e7b6a94eae
              • Instruction Fuzzy Hash: 6690022634141806D140715884547074166C7D0601F95C011A5028554D861A8E696AB2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
              • Instruction ID: 4e7b2f5286d81bdb9c8427ab383059ba07aeb67e7e59ddfb18627e64fd96ad95
              • Opcode Fuzzy Hash: a53312e665549d0922273fa7b9a2a13ac30312692fa8d6f67664e893106d3f57
              • Instruction Fuzzy Hash: F790022630185446D14072584844B0F826587E1202FD5C019A915A554CC9198D595B32
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
              • Instruction ID: 2ec687c182b35b2679de832b889812a9075ece3542d80deb6649aef055979654
              • Opcode Fuzzy Hash: 3fed0b53299b0d76dcad2cc4d004f1726a6bc66ba5abe4b3f75c83e8f242a1f7
              • Instruction Fuzzy Hash: CF900236705810169140715848C4546816597E0301B95C011E5428554C8A188E5A5772
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
              • Instruction ID: bbf8ba88a1fb274a59711b18a01f4ca5c61e453653b30b8a8368fd4fb861e519
              • Opcode Fuzzy Hash: 209c3dbdae1fe2655472281dc881d932bea8ce12f349c4fb6f0cd73a384f5f30
              • Instruction Fuzzy Hash: FE90023634141406D14171584444606416997D0241FD5C012A5428554E86598F5AAE72
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
              • Instruction ID: 80777464f571585b228dbded3418b91e4379c2ed1bde3d19b9f7f16d6d64267c
              • Opcode Fuzzy Hash: 9afe19f98d1744c6beb7c23f8d3e80d49b7f399c1cfe7910cc161b7223909a95
              • Instruction Fuzzy Hash: C0900226342451565545B1584444507816697E02417D5C012A6418950C852A9D5ADA32
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
              • Instruction ID: 6eee2d5bd513c969c15747496f5de73b317ab35cf18f2912cf08b23457f3e30f
              • Opcode Fuzzy Hash: 26836ee523dd6df65d0daf59526ba70a3f8ec7978359f8ffc2b4fdc09c2f4dd8
              • Instruction Fuzzy Hash: 7290022630545446D10075585448A06416587D0205F95D011A6068595DC6398D55A532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
              • Instruction ID: 95f6c9a8a549eca58271ae1e5c3fd449f1c35297952be0ec60b8e831e78e60a8
              • Opcode Fuzzy Hash: 65c63e565e975b3984c565cc54ecd5e5ec9549b27ce8207656a5b7470801035b
              • Instruction Fuzzy Hash: B890023630241146954072585844A4E826587E1302BD5D415A5019554CC9188D655632
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
              • Instruction ID: 7af9602417d6e23a4bbf4406c33290eaaf3951b048b3285e28e4960dd63e3798
              • Opcode Fuzzy Hash: dc4ebe19312d6cfb1172918c24592d4d254a05ff4b0b85bc1421c37cfd1d4dc7
              • Instruction Fuzzy Hash: E890022E31341006D1807158544860A416587D1202FD5D415A5019558CC9198D6D5732
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
              • Instruction ID: cdb26f6e227286b0473984a3b44261aa9c250de689be34566b23059fff1747fb
              • Opcode Fuzzy Hash: c0f7a5ae9733c5e02e84f17b2614ada2aedc4482680a1318921a33729a2f8ee1
              • Instruction Fuzzy Hash: D790022630141007D140715854586068165D7E1301F95D011E5418554CD9198D5A5633
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
              • Instruction ID: 56dcda3b9b0a9ce0799960809bf6b704669959123cc543715149e4b4812da1c0
              • Opcode Fuzzy Hash: 676a077adac283846c7b38997eb4e99502a5790418cab8ef55aa26f4dbeda841
              • Instruction Fuzzy Hash: BB90023A30141406D5107158584464641A687D0301F95D411A5428558D86588DA5A532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
              • Instruction ID: a78c4f149e33e8fed33722ac680547a12f99f960477c9d5f2fe9fb26a12dbc11
              • Opcode Fuzzy Hash: eeda772e3cd2e19724e297ce48c04bd1c2bc7314ecec749fba322a717390e4d8
              • Instruction Fuzzy Hash: 2490023630141406D10075985448646416587E0301F95D011AA028555EC6698D956532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
              • Instruction ID: 133d57a36cd9653ea4ff71393fe248b320ab727ce5aac701d2a297a408a00bcb
              • Opcode Fuzzy Hash: e183e4e52adc8fa6cc299f104d89f3f846638613e77cff123355728ec6adb47c
              • Instruction Fuzzy Hash: BA90022670541406D14071585458706417587D0201F95D011A5028554DC65D8F596AB2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
              • Instruction ID: 8654dfbd9b569d95c42a966f1d4d6c7c21f5678f39e8c196197a6d2c0e2ededa
              • Opcode Fuzzy Hash: 27fb6bb6c562e58551f8b886ea042f89610ffd7f5bfbd3895f7d36a7617e0862
              • Instruction Fuzzy Hash: 0A90023630141407D10071585548707416587D0201F95D411A5428558DD65A8D556532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
              • Instruction ID: 55a711580d31ed4bd4e8fbb2e0bea262d9e730a930e72696261648cf3c60bf43
              • Opcode Fuzzy Hash: 961bc3d9715fb290119fa1602693e438510b45ab36fa92d7e690c0ca4f5c30f1
              • Instruction Fuzzy Hash: 9790023630141846D10071584444B46416587E0301F95C016A5128654D8619CD557932
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
              • Instruction ID: a8a76ef46d38429bb5c85e5a3792ae1eda3d38ed171d4570baa7b98a744dcbc8
              • Opcode Fuzzy Hash: 4a17654a6321a0cc2ba598ff2ec38de161320b4e67402765cea242c09379b42a
              • Instruction Fuzzy Hash: AA90023630181406D1007158485470B416587D0302F95C011A6168555D86298D556972
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
              • Instruction ID: 63bec600236497022134753adea615de5efaef7c3534b29272ab9fbe87ef28f0
              • Opcode Fuzzy Hash: b46793656bd7f9ece788d764032921c3c7d3de558608bd967484929fc71e96cc
              • Instruction Fuzzy Hash: 4290023630181406D10071584848747416587D0302F95C011AA168555E8669CD956932
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
              • Instruction ID: 35196ec29855047fd303dfa2815cd6001acebc040e89584b407f942967f90691
              • Opcode Fuzzy Hash: d63f4be8c60775769f3516f110aa29124d84b6dc79767254e7f454016cad6a3d
              • Instruction Fuzzy Hash: 99900226701410464140716888849068165ABE1211795C121A599C550D855D8D695A76
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
              • Instruction ID: 076d06649f0bb863efb2c68677fe0ad041fefa780b13b3217dce8012c366944a
              • Opcode Fuzzy Hash: d2644c6b4443046650c47c2c080b73b53564acf3a08a86f190b325d317345303
              • Instruction Fuzzy Hash: 6D900226311C1046D20075684C54B07416587D0303F95C115A5158554CC9198D655932
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
              • Instruction ID: 2c7ff88f4bd3b78df9bc7978d92964115453eace1cbc3e6afb88059d8e3dca52
              • Opcode Fuzzy Hash: f6c5cd487278b31fa7f5143ef70cb375d9e98bea623c0ebc7680537c7958106b
              • Instruction Fuzzy Hash: 8490026634141446D10071584454B064165C7E1301F95C015E6068554D861DCD566537
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
              • Instruction ID: 6f1977711fdf9236d4c52d9bd34bc22c56445acf8c8da7e6de7cfc7de8306834
              • Opcode Fuzzy Hash: 6389ecd4f5c8bcda582862703dfd0c178ab596fe48012416f4265f6a34798306
              • Instruction Fuzzy Hash: 9F90026631141046D1047158444470641A587E1201F95C012A7158554CC52D8D655536
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
              • Instruction ID: e73fe5ccc357356f5cac764e49ebc56a20e155419506f5fdde94e9e8e7bb17d0
              • Opcode Fuzzy Hash: f5d1b57e2db00607125fe2443a23e01bf439023e63bcd20d30844185ba43dcbb
              • Instruction Fuzzy Hash: B590022670141506D10171584444616416A87D0241FD5C022A6028555ECA298E96A532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
              • Instruction ID: f10a36b35e1ac487c77c9605fd577e34a3e73a504781c10bf26aa296ee6269f1
              • Opcode Fuzzy Hash: 57bdc23524c0d6cd8405ae590895bd537270e6fc0682abea0a71e8baa524ef30
              • Instruction Fuzzy Hash: 5790027630141406D14071584444746416587D0301F95C011AA068554E865D8ED96A76
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
              • Instruction ID: bdd0160877ca3c05706b614ff8ee1dc0ded489c3953f809c3a662e32ea34b1be
              • Opcode Fuzzy Hash: 7af47f74db09e85ebe3c2a2ee3e88d83f96a25e6acb18a92858958298792f658
              • Instruction Fuzzy Hash: 8790026630181407D14075584844607416587D0302F95C011A7068555E8A2D8D556536
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
              • Instruction ID: 7f2fc765ab6f0fe78d9a201fe1979d7612ea8817c95a3a6ca5148352f6ec221c
              • Opcode Fuzzy Hash: f931ddd4a364afc13b9c6047e31db8fc0d9fb86475ba5d13028db5da5e17ccf3
              • Instruction Fuzzy Hash: 4790022630141406D102715844546064169C7D1345FD5C012E6428555D86298E57A533
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
              • Instruction ID: 6170115a24d55ef439fd8632e6d62cf4b830c8aa07fa09f2168057886920c0c2
              • Opcode Fuzzy Hash: dbdb2dc2da760e970e177c47cb56c06b06846ebec01da1790c88fa009f44760b
              • Instruction Fuzzy Hash: D190022634546106D150715C44446168165A7E0201F95C021A5818594D85598D596632
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
              • Instruction ID: 1fa0ffa6be2c4802569d8444a158983cd65fb459e0d4debff1013a3faa00a1c7
              • Opcode Fuzzy Hash: 408635c266067271b3f05d23bf1c799e74ef107286ac5219f4c22b30e4320779
              • Instruction Fuzzy Hash: 4A90023630141806D10471584844686416587D0301F95C011AB028655E96698D957532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
              • Instruction ID: 4fd6bf1631be82dff9306ece0a15ef12c2be6c5cadc597450738a4491543d63f
              • Opcode Fuzzy Hash: 4fa80dbad05db6722f3871421930f135550f36eafdde21d5c043699fc8208888
              • Instruction Fuzzy Hash: 6090023670541806D15071584454746416587D0301F95C011A5028654D87598F597AB2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
              • Instruction ID: 09dfcaff3c26619f44f0f0698c112113010e2361b0cfae6764f4b555a6dd72eb
              • Opcode Fuzzy Hash: 5c7368f3e9d12d93b40a012e3231dd9a8c7cf31a52981e59568102b787a85e24
              • Instruction Fuzzy Hash: B290023630545846D14071584444A46417587D0305F95C011A5068694D96298E59BA72
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
              • Instruction ID: 949777aa5ca4a8a589c69ef097c4084df54cd823a200bdf9c1b724e87721edf2
              • Opcode Fuzzy Hash: 0ca2c2960879e5dae6fbb0942ee1fc23d81d3cb67c19c92ba7a3819770c611c7
              • Instruction Fuzzy Hash: 4790023630141806D1807158444464A416587D1301FD5C015A5029654DCA198F5D7BB2
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
              • Instruction ID: e7219ba8c2d2a48c5a3eb8896d64a3a7d355f047cfa1208903dc1444de1b5000
              • Opcode Fuzzy Hash: c05e7b037d4959e42e3f00c8426eac82a8dbb26dce750c2e8d0068f82de73810
              • Instruction Fuzzy Hash: E59002A6301550964500B2588444B0A866587E0201B95C016E6058560CC5298D559536
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
              • Instruction ID: 2aadb0db10ad88967ee73f35420036ff6bdb5c42ea3b23cd7a4c14c6d85b5beb
              • Opcode Fuzzy Hash: 032d788cf3a5234144e0f9db3a149d3987f943d63ff93e14b74c513b81475c19
              • Instruction Fuzzy Hash: D890022A311410070105B558074450741A687D5351395C021F6019550CD6258D655532
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
              • Instruction ID: c3b277522ea9d2cb8ccd21fae58bece0b9f8373de8f20d1b1a2f0ed5f248d638
              • Opcode Fuzzy Hash: 94a691114064afd3b06f4a7249f037653bb0ce1c10124f33504767564478e7fc
              • Instruction Fuzzy Hash: 4690022A321410060145B558064450B45A597D63513D5C015F641A590CC6258D695732
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 3c3ebd2abaf183f79674e8668d8e15843a04af5e87211478a4b469b3f7b2c1fe
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
              • Instruction ID: b8b8133937d35484b50f03cb6e4c44b4e43a17056b0d5d4cf19e3c576f0a7098
              • Opcode Fuzzy Hash: de306fb11a66c93039e95bdac05ecd4beeb90f685b41f5743ad9929f96a4280b
              • Instruction Fuzzy Hash: 6151EBB5A0411ABFCB14DB9C889497EFBF9FB0C200B54816DECDAD7681E634DE0487A0
              Strings
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 058F4787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 058F4742
              • Execute=1, xrefs: 058F4713
              • ExecuteOptions, xrefs: 058F46A0
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 058F4655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 058F46FC
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 058F4725
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
              • Instruction ID: 8de5f2b2e89815e4d8e201249c3e70742734e39bdc983c9f3e63af8b85725f5d
              • Opcode Fuzzy Hash: a5b16745831a13250ddea4139bf42c83e2b9f5ab22de27637ce4ef3946721bec
              • Instruction Fuzzy Hash: 9051E73160431D6AEF10EA68DC99FFA77ADFB49304F040099ED05E7291EBB09E45CB55
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: e6f8a4cfd6d4e893356fe3e41cd4c2b82b304ca20aa30439299803e5fd04c29d
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 84816D70A49A499BDF24CE68C853BBEBFA2BF45352F98419DDC92E7290C734DC408B51
              Strings
              • RTL: Re-Waiting, xrefs: 058F7BAC
              • RTL: Resource at %p, xrefs: 058F7B8E
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 058F7B7F
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
              • Instruction ID: 1a8e9b0f80d436739cf9dcc25ee3a47e7db1cc29561ae338e43b47dd248b5fce
              • Opcode Fuzzy Hash: 45b1070f30166bc987b065886515aa291dba8cf475965273fb6dd8d0f46332fb
              • Instruction Fuzzy Hash: 214190317047069FE720DE298840B6AB7EAEB89711F100A1DED9AD7780DB71E905CB91
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 058F728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 058F7294
              • RTL: Re-Waiting, xrefs: 058F72C1
              • RTL: Resource at %p, xrefs: 058F72A3
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
              • Instruction ID: aa99eb68d245e4a3ade4dca369a9ddfa8b295d8daedcf2bcc4a2be51b9dc1640
              • Opcode Fuzzy Hash: 69f3288af026b31257bed2286e4041e1c809c9460ff751fb7b0ae5b90a44f3ee
              • Instruction Fuzzy Hash: 2A41AC31704206ABE721DE25CC41FAAB7E6FB88715F100619ED56EB380DB71EC52CB92
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: e9491f2c6b8e202d4cf83bbe625c599dc4217d1d2f9e5faccd44b52b0f84549d
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 7391AE71E1420A9ADB24DE69C881ABEBFA6FF45720F14459EEC65E72C0E730DD418F20
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
              • Instruction ID: ec018552d137b5ccff5d8adadf4cf4045f39d5c9233c3e71e9c0e8672724541c
              • Opcode Fuzzy Hash: a13cae819f4789500a9d182e33b667fb440b211340f02915b4e1f8a87da6addf
              • Instruction Fuzzy Hash: 98812975D042699BDB25DB54CC44BEAB7B8BB09710F0441EAED1AF7240D7309E81CFA1
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0590CFBD
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1799695833.0000000005850000.00000040.00001000.00020000.00000000.sdmp, Offset: 05850000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5850000_ngen.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4Qw@4Qw
              • API String ID: 4062629308-2383119779
              • Opcode ID: 7a1574f85fdf4d8345b3303d649a8e5d3dcbc5a0e8dd9c1c74528f9a652c8d4f
              • Instruction ID: 4b701a101db5bd133c7178a066f3a25dc7e60d64736c764cd4334961eb41b63e
              • Opcode Fuzzy Hash: 7a1574f85fdf4d8345b3303d649a8e5d3dcbc5a0e8dd9c1c74528f9a652c8d4f
              • Instruction Fuzzy Hash: B241B171A04318DFDB25DFA9C844AAEBBB8FF44B00F04592AE905DB294D730DC01DB62